



According to a blog post shared by browser fingerprint service FingerprintJS on Friday, a bug in WebKit’s implementation of a JavaScript API called IndexedDB could reveal recent browsing history and even IDs.

In a nutshell, this bug allows all websites that use IndexedDB to access the names of IndexedDB databases generated by other websites during a user’s browsing session. Database names are often unique and unique to each website, so this bug could allow one website to track other websites that users visit in different tabs or windows. The correct and normal behavior is that the website can only access its own IndexedDB database.

In some cases, the website uses a unique, user-specific identifier for the IndexedDB database name. For example, YouTube creates a database with the user’s authenticated Google user ID in the name, and FingerprintJS says that this identifier can be used in the Google API to retrieve personal information about the user, such as a profile picture. This personal information can help a malicious attacker identify a user’s identity.

This bug affects newer versions of browsers that use Apple’s open source browser engine WebKit. This includes Safari 15 for Mac, iOS 15 and all versions of Safari on iPad OS 15. This bug also affects third-party browsers such as Chrome on iOS 15 and iPad OS 15. Apple requires that all browsers use WebKit on iPhones and iPads. FingerprintJS has a live demo of a bug that shows that older browsers such as Safari 14 for Mac are not affected.

FingerprintJS pointed out that no user action is required for a website to access IndexedDB database names generated by other websites.

“A tab or window that runs in the background and continuously queries the IndexedDB API for available databases can tell you which other websites your users are accessing in real time,” the blog post said. increase. “Alternatively, a website can open any website in an iframe or pop-up window to trigger an IndexedDB-based leak for that particular site.”

Private browsing mode does not protect against affected Safari version bugs.

Users must wait for Apple to address the bug in a software update that has contacted Apple to see if a fix is ​​planned. In the meantime, Safari 15 users can temporarily switch to another browser on their Mac, but on iPhones or iPads this isn’t possible because all browsers are affected by WebKit bugs on these devices. is.

The bug was reported to the WebKit bug tracker on November 28th. For more information, see the Fingerprint JS blog post previously reported by 9to5Mac.

