FingerprintJS, an anti-website fraud tool company, published a message on its website a few days ago, referring to a vulnerability in the Safari browser launched by Apple. Websites have the opportunity to obtain the names of other websites that some users are browsing, and even leak personal data such as user IDs.

The problem stems from the IndexedDB API used in Safari 15. Generally, browsers will provide an independent IndexedDB database for each website, allowing websites to store data on the computer. The stored information is generally only used by this website and cannot be detected and accessed by other websites.

However, in Safari, whenever a website uses IndexedDB, a blank database with the same name will appear in other websites. Although other sites cannot view the actual content of the database, they can guess what sites the user has used from the name of the database. More notably, sites such as Google will add information about personal data, such as user IDs, to IndexedDB’s name, which may cause even greater problems.

FingerprintJS said that currently affected users can do is to disable Javascript completely, or temporarily use a browser other than Safari 15. However, due to Apple’s restriction that browsers for iOS and iPadOS must be developed with the same browser engine as Safari, all browsers on these platforms will be affected by the problem. The problem in these platforms can only be completely solved by waiting for Apple to release an update.


Share This Post