Comments
We responsibly disclosed the issue to Mozilla and to the Tor Project. Mozilla has quickly released the fix in Firefox 150 and ESR 140.10.0, and the patch is tracked in Mozilla Bug 2024220. The underlying root cause is inherited by Tor Browser through Gecko’s IndexedDB implementation, so the issue is relevant to both products and to all Firefox-based browsers.
The fix is straightforward in principle: the browser should not expose internal storage ordering that reflects process-scoped state. Canonicalizing or sorting results before returning them removes the entropy and prevents this API from acting as a stable identifier.
I wonder if this fix annoys some government agencies around the world
Good catch. Very likely not to be exploited in the wild at least until now.
I wouldn’t be so sure - I can see someone accidentally stumbling over it doing something benign like TDD.
Great find, great write-up. Such a simple bug (and fix).
