IndexedDB, a browser API that stores large amounts of data, may be leaking information in Safari 15 and other platforms due to a bug, according to a report issued Friday by security firm FingerprintJS.
“The fact that database names leak across different origins is an obvious privacy violation,” FingerprintJS writes. “It lets arbitrary websites learn what websites the user visits in different tabs or windows.”
In addition, authenticated users can also be “uniquely and precisely identified,” the report says.
MediaPost was unable to independently verify these claims at deadline. But this is how the problem allegedly works.
IndexedDB, like most web-browser technologies, follows the same-origin policy, “a fundamental security mechanism that restricts how documents or scripts loaded from one origin can interact with resources from other origins,” FingerprintJS explains.
“In Safari 15 on macOS, and in all browsers on iOS and iPadOS 15, the IndexedDB API is violating the same-origin policy,” the report says.
But it adds: “The only real protection is to update your browser or OS once the issue is resolved by Apple.”