The bug allows websites that use IndexedDB to access the names of IndexedDB databases generated by other websites during a user’s browsing session. One website could use the bug to track the other websites visited by the user in different tabs or windows, as the database names are often unique and specific to each website. The correct behavior should be that websites only have access to their own IndexedDB databases.
Some websites use unique user-specific identifiers in IndexedDB database names. One such site, YouTube, creates databases that include a user’s authenticated Google User ID in the name, and this identifier can be used in combination with Google APIs to fetch personal information about the user, such as a profile picture, according to FingerprintJS. Bad actors could use the information to determine a user’s identity.
The bug affects recent versions of browsers using Apple’s open-source browser engine WebKit, including Safari 15 for Mac and Safari on all versions of iOS 15 and iPadOS 15. Third-party iOS and iPadOS browsers are also affected, as Apple requires all browsers to use WebKit on the iPhone and iPad.
FingerprintJS posted a live demo of the bug that indicates older browsers like Safari 14 for Mac are unaffected. No user action is required for a website to access IndexedDB database names generated by other websites. Private browsing mode does not protect against the bug in affected Safari versions.
“A tab or window that runs in the background and continually queries the IndexedDB API for available databases can learn what other websites a user visits in real-time,” the blog post said. “Alternatively, websites can open any website in an iframe or popup window in order to trigger an IndexedDB-based leak for that specific site.”
Apple will need to release software updates to address the bug on macOS, iOS, and iPadOS. We’ll keep you posted and will let you know when we hear about a fix.