A software bug in Apple's Safari 15 browser might allow any website to track your online activities and possibly reveal your identity on macOS, iOS, and iPadOS 15. Your Google User ID can be exposed to other websites as a result of the problem. The issue is also reported to affect private mode viewing on the Safari 15 browser in this scenario. The bug is due to an issue with Apple's implementation of IndexedDB, an application programming interface (API) that keeps data in your browser.
According to FingerprintJS, a browser fingerprinting and fraud detection service. "IndexedDB is a client-side storage API for browsers that can handle large volumes of data. All major browsers support it, and it's widely used," FingerprintJS stated in a statement.
According to the report, over 30 websites directly interact with indexed databases on their homepage, with no additional user involvement or authentication required. "We estimate this figure to be substantially larger in real-world circumstances," the FingerprintJS team added, "since websites can connect with databases on subpages, after specific user actions, or on authenticated areas of the page." IndexedDB follows the same-origin principle like most modern web browser technologies do. The same-origin policy is a basic security feature that limits how documents or scripts loaded from one origin interact with resources from other origins.
The same-origin policy, for example, stops a malicious webpage from infecting your email if you open your email account in one tab and a malicious URL in another. "The IndexedDB API violates the same-origin restriction in Safari 15 on macOS and all browsers on iOS and iPadOS 15," according to FingerprintJS. When a website interacts with a database, all other active frames, tabs, and windows within the same browser session establish a new (empty) database with the same name.
Unless you move to a separate profile, such as in Chrome, or open a private window, windows and tabs normally share the same session. This means that other websites can see the names of databases created on other sites, which may contain personal information about you. The leak was discovered by FingerprintJS, however, Safari has yet to be updated. "The fact that database names are leaked from many sources is a clear breach of privacy." It allows any website to learn which websites a person visits in multiple tabs or windows," they explained.