Apple has since prepared a fix for the bug, according to a WebKit commit on GitHub, but the fix will not be available to users until Apple releases macOS Monterey, iOS 15, and iPadOS 15 updates with an updated version of Safari. Apple declined to comment when asked to provide a timeframe for a fix being released to the public.
The bug allows any website that uses IndexedDB for client-side data storage to access the names of IndexedDB databases generated by other websites during a user’s browsing session. The bug could allow one website to track other websites the user visits in different tabs or windows, as the database names are often specific to each website, and sometimes the database names contain user-specific identifiers that could reveal a user’s identity.
FingerprintJS has a live demo of the bug, which affects newer versions of browsers using Apple’s open source browser engine WebKit, including Safari 15 for macOS and Safari on all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome and Edge on iOS 15 and iPadOS 15, as Apple requires all iPhone and iPad browsers to use WebKit.
The bug does not affect Safari 14 for macOS or any browser on iOS 14 and iPadOS 14, according to FingerprintJS, which has a blog post with more details.
This article, “Apple Prepares Fix for Safari Bug Allowing Websites to Decipher Your Recent Browsing Activity” first appeared on MacRumors.com
Discuss this article in our forums