← Back to Blog

Firefox 145 Broke Your Cookieless Tracking Too

Firefox 145 reduced the share of users uniquely identifiable by fingerprinters by roughly half (Mozilla, November 2025). If your WooCommerce attribution switched from cookies to device fingerprinting after Safari ITP restrictions, that fallback is now degrading across Firefox’s privacy-conscious audience. Combined with Safari’s 7-day cookie cap and 31.5% global ad-blocker usage, the only durable identification layer left is a first-party server that sets cookies via HTTP headers from your own subdomain.

Contents

What Firefox 145 Actually Changed

Mozilla’s Phase 2 anti-fingerprinting protections completed a multi-year campaign to reduce browser fingerprint trackability — and the numbers are significant.

Firefox 145, released in November 2025, completed the second phase of Mozilla’s anti-fingerprinting initiative. Before Phase 1, roughly 65% of Firefox users could be uniquely identified by fingerprinters. Phase 1 reduced that to 35%. Phase 2 brought it down to approximately 20% — cutting fingerprint trackability by nearly half from the Phase 1 baseline (BleepingComputer, 2025).

The protections work by limiting the information Firefox exposes to websites. Processor cores are always reported as either 4 or 8. Local font access is blocked in favour of standard OS fonts. Screen resolution is normalised. Multi-touch support reports generic values. Canvas rendering — one of the most reliable fingerprinting vectors — now returns randomised noise when websites attempt to read back generated images.

Here’s the thing: these defenses don’t break websites. Mozilla deliberately avoided aggressive blocking that would compromise legitimate features like calendar tools and video conferencing. Instead, they reduced the granularity of device signals until the fingerprint becomes too generic to uniquely identify most users. The protections currently apply in Private Browsing and ETP Strict mode, with plans for default rollout across all Firefox sessions (Mozilla, 2025).

You may be interested in: Safari 26 Enabled Fingerprinting Protection for Everyone — What Actually Changed

Firefox 145’s Phase 2 anti-fingerprinting protections reduced the share of uniquely identifiable users from 35% to roughly 20%, cutting fingerprint trackability by nearly half (Mozilla, November 2025).

Why Cookieless Tracking Was Never the Fix

The industry pivoted to fingerprinting and device graphs when cookies started dying. Firefox 145 reveals why that pivot was building on another collapsing foundation.

When Safari’s Intelligent Tracking Prevention capped JavaScript-set cookies to 7 days — and just 24 hours when tracking parameters like fbclid or gclid appear in the URL — the tracking industry scrambled for alternatives (Apple WebKit, 2023). ‘Cookieless’ solutions emerged as the answer, and most of them rely on some form of device fingerprinting under the hood.

Device-graph vendors and ‘cookieless’ identity platforms collect browser signals — GPU behaviour, font lists, screen dimensions, audio context — and stitch them into a persistent identifier. The pitch sounds compelling: no cookies needed, works across sessions, survives private browsing. What the pitch omits is that browsers are systematically dismantling the signals these solutions depend on.

Firefox 145 is not an isolated move. Safari has blocked known fingerprinting scripts since 2020. Brave blocks fingerprinting by default. Even Chrome, which reversed its third-party cookie deprecation, has acknowledged fingerprinting as a tracking vector (though Google’s approach remains more permissive). The trajectory across every major browser vendor is toward reducing the uniqueness of device signals — which is precisely the foundation cookieless tracking is built on.

Translation: if your WooCommerce store migrated to a cookieless solution after Safari ITP, you didn’t future-proof your attribution. You moved from one eroding signal to another.

Safari’s Intelligent Tracking Prevention caps all JavaScript-set cookies to 7 days, dropping to 24 hours when tracking parameters like fbclid or gclid appear in the URL (Apple WebKit, 2023).

The Three-Layer Erosion Hitting WooCommerce

Cookie decay, fingerprint decay, and ad-blocker stripping aren’t separate problems — they compound into a single data loss equation your dashboards don’t show you.

WooCommerce store owners face three simultaneous erosion layers, and most tracking setups are vulnerable to all three.

Erosion LayerMechanismImpact on Client-Side Tracking
Cookie DecaySafari ITP: 7-day JS cookie cap (24 hours with click IDs). All iOS browsers affected via WebKit requirement.Attribution severed for any customer journey exceeding 7 days on Safari/iOS — roughly 24% of global traffic.
Fingerprint DecayFirefox 145: Phase 2 reduces unique fingerprints from 35% to ~20%. Safari blocks known scripts. Brave blocks by default.Cookieless/device-graph identity degrades as browsers normalise device signals.
Tag StrippingAd blockers (31.5% global usage, Statista 2024) and Manifest V3 extension changes block analytics tags before they fire.Events never reach your analytics platform. Conversions invisible to ad platforms.

Combined, these three layers account for an estimated 30-40% of client-side event data being lost before it reaches your analytics platform (industry consensus, 2025). That’s not a rounding error. It’s a structural gap between what your customers actually do and what your dashboards report.

Firefox’s 2.94% global market share might tempt you to dismiss these fingerprinting changes (StatCounter, 2026). That would be a mistake. Firefox users skew heavily toward privacy-conscious, technically sophisticated audiences — the kind of users who also run ad blockers, use VPNs, and make high-intent B2B purchases. The audience most affected by fingerprint decay is disproportionately valuable, not statistically negligible.

You may be interested in: Manifest V3 and Ad Blockers: How Much WooCommerce Data You’re Losing

What Still Works: First-Party Server Identity

When both cookies and fingerprints erode, the durable layer is a tracking server you control on your own infrastructure.

The pattern that survives all three erosion layers is straightforward in principle: move identification from the browser to a server you control. Server-set cookies using HTTP Set-Cookie headers from a genuine first-party subdomain persist for up to 400 days across Safari, Firefox, and Chrome (WebKit documentation, 2023). ITP doesn’t cap them. ETP doesn’t cap them. Fingerprinting restrictions don’t affect them because they aren’t fingerprints.

The critical architectural requirement is that your tracking server must share the same IP infrastructure as your main website. Safari 16.4 introduced IP-address matching: if the server setting the cookie resolves to a different IP range than your website, Safari applies the 7-day cap even to server-set cookies. This means third-party hosted solutions — GTM on Google Cloud, Stape containers, or any tracking server running on external infrastructure — often fail to deliver the extended cookie lifetime they promise.

For WooCommerce stores, the practical implementation involves deploying a lightweight event collector on your own subdomain. The collector receives events from a small first-party JavaScript snippet, sets the visitor identity cookie via HTTP headers, and forwards enriched events to your analytics and ad platforms server-side. Because the identification happens server-to-server, it’s invisible to ad blockers and unaffected by any browser’s privacy restrictions on client-side scripts.

Transmute Engine™ takes this approach for WordPress and WooCommerce: a server-side event pipeline deployed on your subdomain that sets first-party cookies from your own infrastructure, enriches events with identity data, and forwards them to Google Analytics 4, Meta CAPI, Google Ads, and BigQuery without depending on browser-side signals that are systematically being restricted.

Key Takeaways

  • Firefox 145 cut fingerprint trackability by half: Phase 2 anti-fingerprinting protections reduced uniquely identifiable users from 35% to approximately 20%, completing a multi-year initiative (Mozilla, November 2025).
  • Cookieless tracking is not future-proof: Most ‘cookieless’ identity solutions rely on device fingerprinting — the exact signal that Firefox, Safari, and Brave are systematically dismantling.
  • Three erosion layers compound: Cookie decay (Safari ITP 7-day cap), fingerprint decay (Firefox 145, Safari, Brave), and ad-blocker tag stripping (31.5% global usage) combine to lose 30-40% of client-side event data.
  • Firefox’s small share masks high-value audiences: At 2.94% global share, Firefox users skew toward privacy-conscious, technical, and high-intent segments that over-represent in B2B and developer markets.
  • Server-set first-party cookies are the durable layer: HTTP Set-Cookie headers from your own subdomain persist for 400 days across all major browsers, unaffected by ITP, ETP, or fingerprinting restrictions.
What is browser fingerprinting and how does it differ from cookies?

Browser fingerprinting collects subtle device details — your screen resolution, installed fonts, GPU rendering behaviour, processor cores, and timezone — to build a unique digital signature. Unlike cookies, fingerprints don’t require storing anything in the browser, so they persist across sessions and survive private browsing mode. Firefox 145’s Phase 2 protections reduce the share of users uniquely identifiable by fingerprinters by roughly half.

Does Firefox 145 affect my Google Analytics or ad platform data?

If your analytics or ad platform uses any fingerprint-based identification — including ‘cookieless’ or device-graph solutions — Firefox 145’s protections will reduce match rates for Firefox users. GA4 client IDs set via JavaScript cookies are separately affected by the 7-day cap in Safari and Firefox ETP. Server-set first-party cookies are not affected by either restriction.

Is cookieless tracking actually future-proof for WooCommerce stores?

No. ‘Cookieless’ tracking typically relies on device fingerprinting as the identification layer. Firefox 145 cut fingerprint trackability by half, Safari blocks known fingerprinting scripts, and Brave blocks them by default. The durable alternative is a first-party server on your own subdomain that sets cookies via HTTP headers, which persists for up to 400 days across all major browsers.

What still works for visitor identification when both cookies and fingerprints are restricted?

Server-set first-party cookies using HTTP Set-Cookie headers from a genuine first-party subdomain remain unaffected by ITP, ETP, and fingerprinting restrictions. This requires your tracking server to run on your own infrastructure with matching IP addresses. Combined with hashed email and phone matching for ad platforms like Meta CAPI and Google Enhanced Conversions, this provides durable identification without relying on browser-side signals.

References

  • Mozilla Blog. “Firefox expands fingerprint protections: advancing towards a more private web.” November 2025. blog.mozilla.org
  • BleepingComputer. “Mozilla Firefox gets new anti-fingerprinting defenses.” November 2025. bleepingcomputer.com
  • StatCounter via DemandSage. “Browser Market Share 2026.” 2026. demandsage.com
  • Apple WebKit / Stape. “Safari ITP — Everything You Need to Know.” 2023. stape.io
  • Statista. “Global ad-blocker usage rate.” 2024. statista.com
  • Snowplow. “Safari ITP update: cookie lifetime.” 2023. snowplow.io
  • CyberInsider. “Firefox 145 introduces stronger user fingerprinting protection.” November 2025. cyberinsider.com

If your WooCommerce store is still relying on client-side signals for attribution, the window to fix it is narrowing with every browser update. See how Seresa builds durable first-party tracking infrastructure.