
IndexedDB Fingerprinting: The Hidden Storage API That Reveals Your Digital Identity
IndexedDB fingerprinting is one of the most underestimated tracking vectors in the modern browser landscape. While most privacy discussions focus on cookies, canvas, and WebGL, the IndexedDB API quietly exposes a rich set of signals that can uniquely identify and persistently track users across browsing sessions — even after clearing cookies and site data.
In 2026, as advertisers and tracking platforms scramble to replace third-party cookies, client-side storage APIs like IndexedDB have become prime targets for fingerprinting exploitation. From database enumeration that reveals which web apps you use, to storage quota probing that leaks your disk size, IndexedDB creates fingerprinting surfaces that most users — and many privacy tools — don’t account for.
This technical deep-dive explores exactly how indexed db fingerprinting works, why it’s so persistent, and what you can realistically do to protect yourself in 2026.
What Is IndexedDB and Why Does It Matter for Privacy?
IndexedDB is a low-level browser API for storing large amounts of structured data on the client side. Unlike localStorage (which is limited to ~5MB of key-value string pairs), IndexedDB supports:
- Large storage quotas — typically up to 50% of available disk space
- Structured data — objects, arrays, binary blobs, and files
- Indexed queries — efficient lookups via database indexes
- Transactional operations — ACID-compliant read/write transactions
- Asynchronous access — non-blocking operations via promises and events
Every major browser supports IndexedDB — Chrome, Firefox, Safari, Edge, and Brave all include full implementations. It’s used by progressive web apps (PWAs), offline-first applications, email clients, and countless SaaS tools to store data locally. This ubiquity is precisely what makes it a fingerprinting goldmine.
If you’re new to browser fingerprinting concepts, our comprehensive guide on what a browser fingerprint is and how protection works provides the foundational context for understanding these storage-based tracking vectors.
How IndexedDB Fingerprinting Works: 5 Attack Vectors
IndexedDB fingerprinting isn’t a single technique — it’s a family of methods that exploit different aspects of the API. Here are the five primary attack vectors used in 2026:
1. Database Enumeration: Revealing Your Installed Web Apps
The most straightforward indexed db fingerprinting technique exploits the indexedDB.databases() method, which returns a list of all databases created by a given origin. While this is restricted by the same-origin policy, the information it reveals within a single origin is surprisingly powerful.
Here’s the problem: many websites create IndexedDB databases with predictable names. A tracking script embedded across multiple sites can probe for the existence of known database names associated with popular web apps. For example:
| Database Name Pattern | Reveals | Uniqueness Contribution |
|---|---|---|
| firebaseLocalStorageDb | Firebase-based app usage | Medium |
| keyval-store | Common PWA framework | Low |
| workbox-expiration-* | Service Worker caching library | Medium |
| idb-keyval | Specific IndexedDB wrapper library | Medium |
| localforage | localForage library usage | Low-Medium |
While the same-origin policy prevents cross-origin database listing, third-party scripts that are embedded across thousands of sites can accumulate this information server-side, building a comprehensive profile of which web technologies and apps a user interacts with. The combination of database names, their versions, and object store structures creates a composite fingerprint with meaningful entropy.
2. Storage Quota Probing: Leaking Your Disk Size
This is perhaps the most insidious indexed db fingerprinting vector. The Storage API’s navigator.storage.estimate() method returns an estimate of the total storage quota available to the origin. Since browsers typically allocate a percentage of available disk space (often 50-60%), this value directly correlates with the user’s physical disk size.
Consider the entropy this creates:
| Disk Size | Typical Quota Estimate | Population Share |
|---|---|---|
| 256 GB SSD | ~128 GB | ~25% |
| 512 GB SSD | ~256 GB | ~30% |
| 1 TB SSD | ~500 GB | ~20% |
| 2 TB HDD | ~1 TB | ~10% |
| 256 GB with 180 GB used | ~38 GB | Highly unique |
The last row is critical — the quota estimate changes based on available disk space, not just total capacity. This means the value shifts as you install software, download files, or delete data. Combined with other fingerprinting signals, storage quota estimates add 3-8 bits of entropy to a browser fingerprint, sometimes more.
3. Database Creation Timing Analysis
The time it takes to create an IndexedDB database, open a transaction, and write data varies based on hardware characteristics. Tracking scripts can measure these timings to infer:
- Storage medium type — SSDs vs HDDs produce measurably different I/O latencies
- CPU performance class — serialization and deserialization speeds vary across processors
- System load — background processes affect timing measurements
- Browser implementation — each browser engine handles IndexedDB operations slightly differently
A fingerprinting script might create a test database, write a known payload, read it back, and measure the round-trip time. Over multiple iterations, the statistical distribution of these timings creates a hardware profile. This is functionally similar to the timing attacks documented in modern browser tracking methods, where side-channel measurements replace direct API calls.
4. Cross-Origin Storage Partitioning Gaps
Browsers have been working to partition storage by top-level site since 2020, but implementation gaps persist in 2026. Storage partitioning means that an IndexedDB database created by tracker.com when embedded in siteA.com should be separate from the database created by tracker.com when embedded in siteB.com.
In theory, this prevents cross-site tracking via IndexedDB. In practice, several gaps remain:
- Partitioning rollout inconsistencies — not all browsers implement full storage partitioning, and some have exceptions for specific API combinations
- Service Worker scope issues — Service Workers can sometimes access unpartitioned IndexedDB storage, creating a bridge between partitioned contexts
- Redirect-based bypasses — navigational tracking through redirects can access first-party storage before partitioning kicks in
- iframe sandbox exceptions — certain sandbox attribute combinations may allow partial access to unpartitioned storage
These gaps mean that indexed db fingerprinting can still function as a cross-site tracking mechanism in certain browser configurations, even when storage partitioning is nominally enabled.
5. Zombie Cookies via IndexedDB
Zombie cookies — tracking identifiers that regenerate after deletion — are one of the most notorious uses of IndexedDB in the tracking ecosystem. The technique works by redundantly storing a unique user identifier across multiple storage mechanisms:
- HTTP cookies — first-party and third-party
- localStorage — per-origin key-value storage
- IndexedDB — structured database storage
- Service Worker cache — HTTP response cache controlled by JavaScript
- Cache API — programmatic cache storage
- window.name — session-persistent window property
When a user clears cookies, the tracking script checks IndexedDB on the next visit. If the identifier is still there, it regenerates the cookie. If IndexedDB is also cleared, the script checks Service Worker cache, localStorage, and other stores. The identifier only truly dies if all redundant stores are wiped simultaneously — something most “Clear Browsing Data” interfaces don’t guarantee.
This persistence mechanism is directly related to how websites track you without cookies — IndexedDB serves as one of the most reliable backup stores for regenerating deleted tracking identifiers.
IndexedDB vs localStorage Fingerprinting: Key Differences
Many people conflate IndexedDB and localStorage fingerprinting, but they differ in significant ways:
| Feature | IndexedDB Fingerprinting | localStorage Fingerprinting |
|---|---|---|
| Storage capacity | Up to 50% of disk space | ~5-10 MB per origin |
| Data structure | Complex objects, blobs, indexes | Simple key-value strings |
| Quota probing entropy | High (leaks disk size) | Low (fixed limit) |
| Timing attack surface | Large (async I/O operations) | Small (synchronous, fast) |
| Database enumeration | Yes (databases() method) | Partial (key enumeration) |
| Service Worker access | Full access | No access |
| Persistence after clear | Often survives partial clears | Usually cleared with cookies |
| Browser support | Universal | Universal |
| Detection difficulty | High | Medium |
The key takeaway: IndexedDB provides significantly more fingerprinting surface area than localStorage. Its async nature, large quotas, and tight integration with Service Workers make it both more powerful for trackers and harder for privacy tools to fully mitigate.
Persistence Across Sessions: Why IndexedDB Fingerprints Survive
One of the most dangerous aspects of indexed db fingerprinting is its exceptional persistence. IndexedDB data survives across browser sessions by default — it persists until explicitly deleted. But even “explicit deletion” is often incomplete:
Incomplete Clearing Behavior
Most browsers offer a “Clear browsing data” option, but the behavior varies:
- Chrome: Clearing “Cookies and other site data” removes IndexedDB, but clearing “Cached images and files” does not. Users often select only the latter.
- Firefox: Clearing “Cookies and Site Data” removes IndexedDB, but Enhanced Tracking Protection doesn’t automatically clear IndexedDB for known trackers.
- Safari: ITP (Intelligent Tracking Prevention) caps IndexedDB storage for cross-site trackers at 7 days, but first-party IndexedDB persists indefinitely.
- Edge: Follows Chrome’s behavior since it uses the same Chromium engine.
How Send.win Helps You Master Indexed Db Fingerprinting
Send.win makes Indexed Db Fingerprinting simple and secure with powerful browser isolation technology:
- Browser Isolation – Every tab runs in a sandboxed environment
- Cloud Sync – Access your sessions from any device
- Multi-Account Management – Manage unlimited accounts safely
- No Installation Required – Works instantly in your browser
- Affordable Pricing – Enterprise features without enterprise costs
Try Send.win Free – No Credit Card Required
Experience the power of browser isolation with our free demo:
- Instant Access – Start testing in seconds
- Full Features – Try all capabilities
- Secure – Bank-level encryption
- Cross-Platform – Works on desktop, mobile, tablet
- 14-Day Money-Back Guarantee
Ready to upgrade? View pricing plans starting at just $9/month.
Service Worker Resurrection
Even when IndexedDB is cleared, a previously registered Service Worker can recreate databases on its next activation. Service Workers persist independently of site data clearing in some browsers, creating a resurrection vector. This interplay between Service Workers and IndexedDB is one of the reasons service worker fingerprinting remains such a potent tracking technique — the two APIs reinforce each other’s persistence.
Persistent Storage API
The navigator.storage.persist() API allows sites to request that their storage be exempt from automatic eviction. Once granted, IndexedDB data for that origin won’t be cleared even when the browser is under storage pressure. While this requires user permission, many PWAs routinely request and receive this permission, creating permanently persistent tracking stores.
Real-World IndexedDB Fingerprinting in the Wild
Academic research and privacy audits have documented numerous real-world deployments of indexed db fingerprinting techniques:
Evercookie and Its Descendants
The original Evercookie library, created by Samy Kamkar in 2010, included IndexedDB as one of its storage mechanisms. Modern commercial tracking SDKs have evolved this concept into sophisticated multi-store identifier systems that use IndexedDB as a primary persistence layer. These systems are embedded in advertising SDKs, analytics platforms, and consent management tools used by thousands of websites.
Fingerprint.js and Storage-Based Signals
Open-source fingerprinting libraries like FingerprintJS incorporate IndexedDB signals into their composite fingerprints. They probe storage quotas, measure database operation timings, and check for specific database existence patterns. The commercial version (Fingerprint Pro) likely uses even more sophisticated IndexedDB-based signals.
Cross-Site Tracking via Storage APIs
In 2024 and 2025, researchers at several universities demonstrated that storage quota probing could be used as a cross-site tracking vector even with partitioned storage. The technique exploited the fact that quota estimates reflect global disk state, not per-partition state. This means two different partitioned contexts on the same device will report similar quota values, enabling probabilistic cross-site linking.
Browser Mitigations and Their Limitations
Browsers have implemented several defenses against indexed db fingerprinting, but each has significant limitations:
Storage Partitioning
What it does: Separates storage by top-level site, preventing a third-party tracker from accessing the same IndexedDB across different websites.
Limitation: Only prevents cross-site tracking via direct storage access. Does not prevent storage quota probing (which reflects global state), timing attacks, or first-party fingerprinting.
Storage Quota Randomization
What it does: Some browsers add noise to storage quota estimates to prevent exact disk size inference.
Limitation: The randomization is often too small to prevent useful categorization (SSD vs HDD, 256GB vs 1TB), and repeated measurements can average out the noise.
Automatic Storage Expiration (Safari ITP)
What it does: Safari deletes IndexedDB for cross-site trackers after 7 days without user interaction.
Limitation: Only applies to identified trackers on Apple’s list. First-party IndexedDB persists forever, and trackers can reset the 7-day timer via user interaction events.
Enhanced Tracking Protection (Firefox ETP)
What it does: Blocks known trackers from accessing storage APIs.
Limitation: Relies on blocklists (Disconnect.me), which are reactive and don’t catch new or first-party trackers.
Total Cookie Protection (Firefox)
What it does: Creates a separate “cookie jar” (including IndexedDB) for each website.
Limitation: Doesn’t prevent quota probing or timing-based fingerprinting, which operate at the system level rather than the storage level.
Defense Techniques: How to Protect Against IndexedDB Fingerprinting
Given the limitations of built-in browser mitigations, additional defense layers are necessary for meaningful protection against indexed db fingerprinting:
Profile Isolation
The most effective defense is complete browser profile isolation — running each browsing context in a separate profile with its own IndexedDB instance, storage quota, and Service Worker registration. This ensures that:
- Database enumeration reveals only databases from the current profile’s activity
- Storage quota probing returns values specific to the profile’s allocated storage
- Zombie cookies can’t regenerate across profile boundaries
- Timing measurements reflect the profile’s sandboxed environment, not the host hardware
Storage API Interception
Advanced privacy tools can intercept IndexedDB API calls and:
- Return spoofed values for
navigator.storage.estimate() - Add calibrated noise to timing measurements
- Limit or randomize the results of
indexedDB.databases() - Normalize database operation timings
Regular Storage Wiping
Periodically clearing all site data — including IndexedDB, Service Worker registrations, Cache API, localStorage, and cookies — prevents long-term identifier persistence. However, this must be comprehensive to defeat zombie cookie techniques.
Content Blocking
Blocking known fingerprinting scripts via content blockers (uBlock Origin, Brave Shields) prevents the most common fingerprinting attempts, but doesn’t protect against first-party fingerprinting or novel scripts not yet on blocklists.
IndexedDB Fingerprinting in the Post-Cookie Era
With third-party cookies deprecated across all major browsers by 2026, the tracking industry has shifted focus to storage-based and fingerprinting-based identification methods. IndexedDB sits at the intersection of both approaches:
- As a storage mechanism: IndexedDB replaces cookies for storing persistent identifiers, with better survival characteristics against user clearing
- As a fingerprinting surface: The API’s side-channels (quota probing, timing, database enumeration) contribute unique bits to composite fingerprints
- As a cross-session bridge: IndexedDB + Service Workers create a persistence layer that survives most privacy-oriented browsing behaviors
This dual role makes indexed db fingerprinting particularly difficult to address — you need both storage isolation and API output normalization to fully mitigate the threat.
Testing Your IndexedDB Fingerprint Exposure
You can assess your own exposure to IndexedDB fingerprinting using these methods:
Browser DevTools
- Open DevTools (F12) and navigate to the Application tab
- Expand “IndexedDB” in the sidebar to see all databases for the current origin
- Check Storage → “Storage quota” to see your estimated quota
- Note how many databases exist and their names — this is what fingerprinting scripts see
Online Testing Tools
Several privacy audit tools test for IndexedDB fingerprinting vectors:
- BrowserLeaks.com — shows storage quota estimates and database information
- AmIUnique.org — includes storage APIs in its fingerprint analysis
- CoverYourTracks (EFF) — tests for various client-side storage fingerprinting techniques
Manual Console Test
Run this in your browser console to see your storage quota exposure:
- Open the Console tab in DevTools
- Type:
navigator.storage.estimate().then(e => console.log('Quota:', e.quota, 'Usage:', e.usage)) - The quota value reveals information about your disk size
- Compare this across different browsers and profiles to see variation
How Antidetect Browsers Handle IndexedDB Fingerprinting
Not all antidetect browsers handle indexed db fingerprinting equally. The quality of IndexedDB isolation varies significantly:
| Feature | Basic Antidetect | Advanced Antidetect | Cloud-Based (Send.win) |
|---|---|---|---|
| Separate IndexedDB per profile | ✅ | ✅ | ✅ |
| Storage quota spoofing | ❌ | ✅ | ✅ |
| Database enumeration isolation | Partial | ✅ | ✅ |
| Service Worker isolation | ❌ | Partial | ✅ |
| Timing normalization | ❌ | Partial | ✅ |
| Zombie cookie prevention | ❌ | ✅ | ✅ |
| Cross-profile leakage risk | High | Medium | Low |
Cloud-based antidetect solutions have a structural advantage here: because each profile runs in its own isolated cloud environment, there’s no shared hardware to leak through timing side-channels, and storage quotas reflect the cloud instance rather than the user’s local machine.
🏆 Send.win Verdict
IndexedDB fingerprinting exploits storage quotas, database enumeration, timing side-channels, and zombie cookie techniques to persistently identify users — even after clearing cookies. Defending against it requires complete profile isolation at the storage level, which is exactly what Send.win provides. Each Send.win browser profile runs with its own isolated IndexedDB instance, spoofed storage quotas, and independent Service Worker context. There’s no cross-profile leakage, no shared hardware signals, and no zombie cookie resurrection across profiles. Whether you’re managing multiple accounts, running privacy-sensitive workflows, or testing web applications, Send.win ensures your IndexedDB footprint stays unique and isolated per profile.
Try Send.win free today — complete IndexedDB isolation for every browser profile, zero configuration required.
Frequently Asked Questions About IndexedDB Fingerprinting
What is IndexedDB fingerprinting and how does it differ from cookie tracking?
IndexedDB fingerprinting uses the browser’s IndexedDB storage API to identify and track users through methods like database enumeration, storage quota probing, and timing analysis. Unlike cookie tracking, which stores an explicit identifier that can be easily cleared, IndexedDB fingerprinting exploits side-channels and metadata of the storage system itself. The fingerprint signals (disk size via quota estimates, database creation timings, installed app databases) exist whether or not any tracking identifier is stored. Additionally, IndexedDB data often survives partial browser data clearing, making it more persistent than traditional cookies.
Can IndexedDB fingerprinting track me across different websites?
Direct cross-site tracking via IndexedDB is limited by the same-origin policy and storage partitioning in modern browsers. However, indirect cross-site tracking is possible through storage quota probing (which reflects global disk state regardless of origin), timing measurements (which reveal hardware characteristics consistent across sites), and third-party scripts embedded across multiple sites that aggregate per-origin data server-side. Storage partitioning gaps and Service Worker scope issues can also enable cross-site tracking in certain configurations.
Does clearing my browser data remove IndexedDB fingerprints?
Clearing “Cookies and site data” typically removes IndexedDB databases, but several caveats apply. First, Service Workers may survive independent clearing and can recreate databases on next activation. Second, sites that have been granted persistent storage permission (via the Storage API) may retain data even under storage pressure. Third, zombie cookie techniques redundantly store identifiers across multiple APIs, so all storage types must be cleared simultaneously. For maximum effectiveness, use “Clear all site data” options that explicitly include Service Worker registrations.
How much unique information does storage quota probing reveal?
Storage quota probing typically adds 3-8 bits of entropy to a fingerprint, depending on the user population. The quota estimate reflects available disk space, which varies widely across users. When combined with other fingerprinting signals like canvas, WebGL, font enumeration, and screen properties, the storage quota value can be the distinguishing factor that makes an otherwise ambiguous fingerprint unique. On machines with unusual disk configurations or heavily used storage, the entropy contribution can be even higher.
Do privacy-focused browsers like Brave or Firefox block IndexedDB fingerprinting?
Both Brave and Firefox implement partial mitigations. Firefox’s Total Cookie Protection partitions IndexedDB by top-level site, and Enhanced Tracking Protection blocks known trackers. Brave adds noise to storage quota estimates and blocks third-party storage. However, neither browser fully prevents first-party IndexedDB fingerprinting, timing-based attacks, or sophisticated quota probing techniques that can average out randomization noise. They reduce the attack surface significantly but don’t eliminate it.
What is a zombie cookie and how does IndexedDB enable it?
A zombie cookie is a tracking identifier that regenerates after the user deletes it. IndexedDB enables zombie cookies by serving as one of multiple redundant storage locations for the identifier. When a user clears cookies, the tracking script checks IndexedDB for the backup identifier and recreates the cookie. The same process works in reverse — if IndexedDB is cleared but cookies remain, the identifier is restored to IndexedDB. This multi-store redundancy means the identifier persists unless every storage mechanism is cleared at the same time.
Can I disable IndexedDB entirely to prevent fingerprinting?
Technically, you can disable IndexedDB in some browsers via about:config flags (e.g., dom.indexedDB.enabled in Firefox), but this is impractical. Disabling IndexedDB breaks many modern web applications — Gmail, Google Docs, Notion, Slack, and most PWAs rely on IndexedDB for basic functionality. Furthermore, having IndexedDB disabled is itself a distinguishing signal that makes your browser more fingerprintable, not less. The better approach is to use isolated browser profiles that present realistic but distinct IndexedDB environments.
How does IndexedDB fingerprinting interact with Service Worker fingerprinting?
IndexedDB and Service Workers create a mutually reinforcing fingerprinting and persistence layer. Service Workers have full access to IndexedDB and can read/write databases in the background, even when no page is open. This means a Service Worker can maintain and regenerate IndexedDB-stored identifiers, while IndexedDB can store configuration data that directs Service Worker behavior. The combination creates a persistence mechanism that’s harder to clear than either technology alone, as both must be removed simultaneously to break the tracking cycle.
