A process-scoped Firefox identifier persists across Tor Browser tabs within a single session, allowing cross-identity linkage without cookies or storage.
Key Takeaways
The identifier is process-scoped, not origin-scoped, so it survives tab isolation and new Tor circuits within one browser session.
It does not persist across browser restarts, which limits attacker utility but does not eliminate risk for long-running sessions.
Firefox’s 2021 site-isolation (one-process-per-site) may be orthogonal; the bug predates or bypasses that boundary.
The practical mitigation is simple: exit Tor Browser fully between distinct identities, never mix use-cases in one session.
Web APIs like IndexedDB expose process-level timing or state that browsers never gate behind permission prompts, unlike mobile OS patterns.
Hacker News Comment Review
Consensus: risk is real but bounded – restart-scoped identifiers are far less dangerous than persistent ones; the threat model is long-session cross-tab correlation, not cross-reboot tracking.
Tension: commenters question why Mozilla received a responsible disclosure from a fingerprinting vendor – the business incentive points toward keeping the bug private, which raises credibility questions about the vendor’s motives.
Implementation gap: browsers expose IndexedDB, canvas, and similar APIs silently with no user permission model; several commenters argue the Web API surface area itself is the root cause, not individual bugs.
Open question: why are these internal databases not scoped to origin of creation the way cookies are – a process-global namespace is an unusual and dangerous design choice.
Notable Comments
@yencabulator: Exit Tor Browser fully between sessions; never mix two identities in one process lifetime.
@lpapez: Questions why a fingerprinting company would burn a working zero-day via responsible disclosure – “I don’t see many threat actors burning their zero days through responsible disclosure.”
@bawolff: Non-persistence across restarts significantly reduces attacker value; frames this as a session-hygiene problem more than a structural one.
@VladVladikoff: Asks the sharpest architectural question – why are these internal databases not origin-scoped like cookies?
