In a nutshell, the bug allows any website that uses IndexedDB to access the names of IndexedDB databases generated by other websites during a user’s browsing session. The bug could allow a website to track other websites visited by the user in different tabs or windows, as database names are often unique and specific to each website. The correct and normal behavior should be that websites can only access their own IndexedDB databases.
In some cases, websites use user-specific unique identifiers in IndexedDB database names. For example, YouTube creates databases that include a user’s authenticated Google user ID in the name, and this ID can be used with Google APIs to retrieve personal information about the user, such as a photo in profile, according to FingerprintJS. This personal information could help a malicious actor determine a user’s identity.
The bug affects newer versions of browsers using Apple’s open-source WebKit browser engine, including Safari 15 for Mac and Safari on all versions of iOS 15 and iPadOS 15. The bug also affects third-party browsers like Chrome on iOS 15 and iPadOS 15, as Apple requires all browsers to use WebKit on iPhone and iPad. FingerprintJS has a live demo of the bug which indicates that older browsers like Safari 14 for Mac are not affected.
FingerprintJS noted that no user action is required for a website to access IndexedDB database names generated by other websites.
“A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user is visiting in real time,” the blog post says. “Alternatively, websites can open any website in an iframe or popup to trigger an IndexedDB-based leak for that specific site.”
Incognito mode does not protect against the bug in affected Safari versions.
Users will have to wait for Apple to fix the bug with software updates – we’ve contacted Apple to see if a fix is planned. Meanwhile, Safari 15 users can temporarily switch to another browser on the Mac, but this is not possible on the iPhone or iPad as all browsers are affected by the WebKit bug on these devices.
The bug was reported to the WebKit Bug Tracker on November 28. More details can be found in the FingerprintJS blog post, reported earlier by 9to5Mac.