The bug allows websites that use IndexedDB to access the names of IndexedDB databases generated by other websites during a user’s browser session. A website could use the bug to track other websites visited by the user in different tabs or windows, as database names are often unique and specific to each website. The correct behavior should be that websites only have access to their own IndexedDB databases.
Some websites use user-specific unique identifiers in IndexedDB database names. One such site, YouTube, creates databases that include a user’s authenticated Google user ID in the name, and this ID can be used in combination with Google APIs to retrieve personal information about the user, like a profile picture, according to FingerprintJS. Bad actors could use the information to determine a user’s identity.
The bug affects recent versions of browsers using Apple’s open-source WebKit browser engine, including Safari 15 for Mac and Safari on all versions of iOS 15 and iPadOS 15. Third-party iOS and iPadOS browsers are also affected, because Apple requires all browsers to use WebKit on iPhone and iPad.
FingerprintJS has posted a live demo of the bug which indicates that older browsers like Safari 14 for Mac are not affected. No user action is required for a website to access IndexedDB database names generated by other websites. Incognito mode does not protect against the bug in affected Safari versions.
“A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user is visiting in real time,” the blog post says. “Alternatively, websites can open any website in an iframe or popup to trigger an IndexedDB-based leak for that specific site.”
Apple will have to release software updates to fix the bug on macOS, iOS, and iPadOS. We’ll keep you posted and let you know when we hear of a fix.