• by Ray Schultz , January 17, 2022

IndexedDB, a browser API that stores large amounts of data, may be leaking information in Safari 15 and other platforms due to a bug, according to a report issued Friday by security firm FingerprintJS.

“The fact that database names leak across different origins is an obvious privacy violation,” FingerprintJS writes. “It lets arbitrary websites learn what websites the user visits in different tabs or windows.” 

In addition, authenticated users can also be “uniquely and precisely identified,” the report says.

MediaPost was unable to independently verify these claims at deadline. But this is how the problem allegedly works. 

IndexedDB, like most web-browser technologies, follows the same-origin policy, “a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins,”  FingerprintJS explains.  

“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy,” the report says. 

The report continues: “Unfortunately, there isn’t much Safari, iPadOS and iOS users can do to protect themselves without taking drastic measures. One option may be to block all JavaScript by default and only allow it on sites that are trusted."

But it adds: “The only real protection is to update your browser or OS once the issue is resolved by Apple.”