A bug in WebKit’s JavaScript API called IndexedDB could leak the user’s recent browsing history and even identity. According to a WebKit commit on GitHub, Apple has a fix for the bug, but that fix won’t be available to users until Apple releases new versions of Safari for macOS Monterey, iOS 15, and iPad OS 15. Apple declined to comment when asked for a time frame for releasing the fix to the public.
The vulnerability allows any website that uses IndexedDB for client-side data storage to access the name of the IndexedDB database generated by other websites during a user’s browsing session. This bug could allow a website to track other websites a user visits in different tabs or windows because database names tend to be unique to each website, and sometimes database names contain user-specific identifiers that could reveal the user’s identity.
FingerprintJS has a live demo of the bug, which affects newer versions of browsers that use Apple’s open-source browser engine WebKit, including Safari 15 for macOS and Safari for all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome and Edge on iOS 15 and iPadOS 15, as Apple requires all iPhone and iPad browsers to use WebKit.
FingerprintJS said the bug does not affect Safari 14 for macOS, nor does it affect any browsers on iOS 14 and iPadOS 14.