Apple has since developed a fix for the issue, says a WebKit commit on GitHub, but the fix will not be available to users until the release of macOS Monterey, iOS 15, and iPadOS 15 updates with an updated version of Safari. Apple has not announced a timeline for the public release of the fix.
The bug allows websites that use IndexedDB to access the names of IndexedDB databases generated by other websites during a user’s browsing session. One website could use the bug to track the other websites visited by the user in different tabs or windows, as the database names are often unique and specific to each website. The correct behavior should be that websites only have access to their own IndexedDB databases.
A Friday blog post by browser fingerprinting service FingerprintJS revealed the bug, and the website also offers a live demo of the bug, showing how it works.
The bug affects recent versions of browsers using Apple’s open-source browser engine WebKit, including Safari 15 for Mac and Safari on all versions of iOS 15 and iPadOS 15. Third-party iOS and iPadOS browsers are also affected, as Apple requires all browsers to use WebKit on the iPhone and iPad.
No user action is required for a website to access IndexedDB database names generated by other websites. Private browsing mode does not protect against the bug in affected Safari versions.