The bug affects the Safari 15 browser for Mac and all versions of Safari on iOS 15 and iPadOS 15.
Researchers at browser fingerprinting and fraud detection service, FingerprintJS, have identified that a bug in Safari 15 can leak a user’s Google User ID, exposing personal information linked with the Google account and browsing activity.
The bug affects new versions of browsers that use Apple’s open-source browser engine, WebKit. This includes Safari 15 for mac and all versions of Safari on iOS 15 and iPadOS 15.
About the Vulnerability
The bug stems from an issue identified in Apple’s application programming interface IndexedDB, which stores data on a browser. This API complies with the same-origin policy that restricts an origin from interacting with data collected on other origins. Only the site that generates data can access it.
However, in Safari 15, this API violates the same-origin policy. Therefore, when a site interacts with any database in Safari, a new database with the same name is created in other active tabs, windows, and frames within that browser session.
FingerprintJS has released a live demo of the bug as well, in which the company proved that the bug doesn’t affect Safari 14.
[embedded content] Dangers Associated