This bug allows any website to track browsing activity to reveal the user’s identity. This vulnerability stems from Apple’s IndexedDB, an Application Programming Interface (API) that stores data in the user’s browser.
FingerprintJS explains IndexedDB adheres to the same-origin policy, which restricts an origin from interacting with data collected in other sources. Supposedly, only the website that generates the data can access it.
FingerprintJS found that Apple’s IndexedDB API application on Safari 15 actually violated the same-origin policy. When a website interacts with a database in Safari, FingerprintJS says a new (empty) Database with the same name is created in all frames, tabs and other active windows in the same browser session.
That means, other websites can see other database names, which may contain details specific to the user’s identity. FingerprintJS logs sites that use Google accounts, such as YouTube, Google Calendar, and Google Keep, all of which generate databases with the user’s unique Google User ID in their name.
This Google User ID allows Google to access publicly available information, such as profile pictures that Safari bugs can expose to other websites.
FingerprintJS also created a proof demo that users of Safari 15 and later can try on their Mac, iPhone, or iPad. This demo using the browser’s IndexedDB vulnerability can be used to identify what sites a user has opened. In addition, the demo also shows how a site that exploits a bug can scrape information from Google User ID.
Currently FingerprintJS has detected only 30 popular sites affected by the bug, such as including Instagram, Netflix, Twitter, Xbox, but it is likely to affect many more, Tuesday (18/1/2022).