A vulnerability in the browser can be exploited to expose your browsing history.
The bug was introduced to the browser via the indexed database, which is part of Apple's web browser development engine. When you return to websites you've visited, IndexedDB can be used to save data on your computer, making them load quicker.
The same-origin policy security mechanism doesn't allow websites to interact with each other unless they have the same domain name. Think of it as being in a state of isolation and only being allowed to hang out with your family. For example, you can't find out if you've been cheating on them with YouTube if you can't access IndexedDB's saved data.
The same-origin policy is violated by the bug revealed by FingerprintJS, exposing data it has collected to websites it didn't collect it from. Some websites in the network use unique user-specific identifiers in the data provided to IndexedDB. The data collected can be used to identify both your browsing history and details of your account, if you are logging into your account. It can figure that out if you log into more than one account.
"Not only does this imply that a website can learn a user's identity, but it also allows the linking of multiple separate accounts used by the same user," wrote FingerprintJS. The demonstration shows the type of information the exploit can reveal.
The bug was reported at the end of last year, but Apple hasn't fixed it. Apple has been reached for comment.
There isn't much you can do about this right now. Since a private tab can't tell what's going on in any other tabs, browsing in Private mode can mitigate the damage. It isn't perfect.
All databases these websites interact with are leaked to all subsequently visited websites if you visit multiple different websites within the same private tab.
Mac users can avoid the vulnerability by changing browsers, but people on iPadOS are out of luck. The indexedDB bug has impacted every browser on the systems that Apple requires all of them to use. We can either wait for Apple to come out with a patch, or just log off.