A security hole in Firefox and Chrome allows websites to determine a web user’s real IP address, even when using a VPN:
“Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.”
See more details here on this page.
https://torguard.net/blog/browser-security-vulnerability-may-allow-real-ip-leak/
On this site you can check if your broser is affected. With your VPN connected browse to this website and you should see your real IP address in addition to your VPN provider address:
https://diafygi.github.io/webrtc-ips/
How to fix:
For Google Chrome download and install this extension to disable WebRTC.
For Firefox goto “about:config” and set the configuration setting “media.peerconnection.enabled” to “false”.