According to a blog post shared by browser fingerprinting service provider FingerprintJS on Friday, a bug in WebKit’s JavaScript API called IndexedDB could leak a user’s recent browsing, according to a MacRumors report. History and even identity.
The bug allows any website using IndexedDB to access the name of the IndexedDB database generated by another website during a user’s browsing session. This vulnerability could allow a website to track other websites a user visits since each website’s database name is usually unique. The correct behavior should be that the website can only access its own IndexedDB database.
According to the description of FingerprintJS, the database created by YouTube contains the authenticated Google user ID, and this identifier can be used together with Google API to obtain the user’s personal information such as avatars.
According to reports, the bug will affect new versions of browsers that use Apple’s open-source browser engine WebKit, including Safari 15 for Mac and all versions of Safari for iOS 15 and iPad OS 15. The vulnerability also affects third-party browsers such as Chrome on iOS 15 and iPadOS 15, as Apple requires all browsers to use WebKit on iPhones and iPads. The FingerprintJS demo shows that older browsers like Safari 14 for Mac are not affected.