The vulnerability allows any website that uses IndexedDB for client-side data storage to access the name of the IndexedDB database generated by other websites during a user’s browsing session. This bug could allow a website to track other websites a user visits in different tabs or windows because database names tend to be unique to each website, and sometimes database names contain user-specific identifiers that could reveal the user’s identity.
FingerprintJS has a live demo of the bug, which affects newer versions of browsers that use Apple’s open-source browser engine WebKit, including Safari 15 for macOS and Safari for all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome and Edge on iOS 15 and iPadOS 15, as Apple requires all iPhone and iPad browsers to use WebKit.
FingerprintJS said the bug does not affect Safari 14 for macOS, nor does it affect any browsers on iOS 14 and iPadOS 14.