A bug in the implementation of a jаvascriptAPI called IndexedDB can reveal your browsing history and even your identity, according to a post on Friday by a browser fingerprinting service.
The bug allows any website that uses IndexedDB to access the names of the databases generated by other websites during a user's browsing session. The bug could allow one website to track other websites the user visits in different tabs or windows, as the database names are often unique and specific to each website. The correct behavior is that websites only have access to their own databases.
Some websites use unique user-specific identifiers. For example, if a user's name is included in a database, it can be used to fetch personal information about the user, such as a profile picture. A malicious actor could use this information to determine a user's identity.
The bug affects newer versions of browsers using Apple's open source browser engine WebKit, including Safari 15 for Mac and Safari on all versions of iPadOS 15. Apple requires all browsers to use WebKit on the iPhone and iPad, so the bug affects third-party browsers. A live demo of the bug shows that older browsers are unaffected.
There is no user action required for a website to access a database.
A tab or window that runs in the background continually queries the IndexedDBAPI for available databases can learn what other websites a user visits in real-time. websites can open any website in a popup window in order to cause a leak for that specific site.
Private browsing does not protect against the bug.
We reached out to Apple to see if a fix for the bug was planned. Since all browsers are affected by the WebKit bug on the iPad and the iPhone, it is not possible to switch to a different browser on the Mac.
The bug was reported to the tracker. More information can be found in the post.