Beware of this flaw in Safari!

On their blog official, specialist browser tracking service FingerprintJS unveiled a flaw in the WebKit rendering engine, which affects version 15 of Safari. The problem lies in its implementation ofAPIs IndexedDB and has the consequence of allowing websites to know the names of other sites visited.

IndexedDB is a tool present in all browsers which allows sites to store data on the user’s computer. When used correctly, each site only has access to the information it has recorded. However, due to this flaw, each time a site creates a database via IndexedDB, an empty copy is created in all other tabs, Windows and frames of the same session.

No updates yet

The content of the database is therefore not exposed, only the name. However, many sites include their name when creating their database, which is therefore visible to all other sites visited by the user. Additionally, some even include a user ID, as is the case with Youtube. This can therefore make it possible to identify the Internet user, or at least in the case of google, to retrieve the profile picture. And a site could voluntarily open another site in a frame, without the knowledge of the user, to obtain such information.

It’s not just Safari that’s affected. The flaw also affects third-party browsers on iPhone and iPad given thatApple requires the use of WebKit. the bug was reported on November 28, but Apple has yet to release an update. In the meantime, it is possible to use another browser on macOS, but there is no alternative on iOS and iPadOS.