In a nutshell, the bug allows any website that employs IndexedDB to gain access to the names of IndexedDB databases generated by other websites during a user’s browsing session. Because database names are often unique and specific to each website, the bug could allow one website to track other websites the user visits in different tabs or windows. Websites should only access their IndexedDB databases if this is the correct and expected behaviour.
FingerprintJS noted that a website does not need to perform any user action to access IndexedDB database names generated by other websites.
According to the blog post, “A tab or window that runs in the background and constantly queries the IndexedDB API for available databases can learn what other websites a user visits in real-time.” “Alternatively, websites can open any website in an iframe or popup window to cause an IndexedDB-based leak for that particular site.”
In affected Safari versions, private browsing mode does not protect against the bug.
Users will have to wait for Apple to address the bug with software updates—we’ve contacted Apple to see if a fix is in the works. In the meantime, Safari 15 users on the Mac could temporarily switch to another browser, but this is not possible on the iPhone or iPad because all browsers on those devices are affected by the WebKit bug.
On November 28, the bug was reported to the WebKit Bug Tracker. More information can be found in FingerprintJS’s blog post, which was previously reported by 9to5Mac.
In some cases, websites use IndexedDB database names that contain unique user-specific identifiers. According to FingerprintJS, YouTube, for example, creates databases that include a user’s authenticated Google User ID in the name, and this identifier can be used with Google APIs to fetch personal information about the user, such as a profile picture. This personal information could aid a malicious actor in determining the identity of a user.
The bug affects newer versions of browsers that use Apple’s open-source browser engine WebKit, such as Safari 15 for Mac and Safari on all iOS 15 and iPadOS 15 versions. Third-party browsers such as Chrome on iOS 15 and iPadOS 15 are also affected by the bug, as Apple requires all browsers to use WebKit on the iPhone and iPad.