Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?



Safari 15 Vulnerability Allows Cross-Site Tracking of Users

A vulnerability in Apple’s implementation of the IndexedDB API in Safari 15 allows websites to track users’ activity on other sites and even to reveal their identity, browser fingerprinting and fraud detection firm FingerprintJS explains.

A vulnerability in Apple’s implementation of the IndexedDB API in Safari 15 allows websites to track users’ activity on other sites and even to reveal their identity, browser fingerprinting and fraud detection firm FingerprintJS explains.

Used in all major browsers, IndexedDB is a low-level browser API for storing client data, which follows the same-origin policy, to restrict the interaction of resources that have different origins.

Because indexed databases are associated with their specific origin, scripts that have a different origin should not be able to interact with those databases that have other origins.

However, FingerprintJS discovered that, in Safari 15 on macOS and in the browsers running on iOS and iPadOS 15 devices, the IndexedDB API is violating the same-origin policy.

“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session,” FingerprintJS explains.

The existence of these “cross-origin-duplicated databases” means that arbitrary websites can learn what other sites the user is visiting in other tabs or windows, because database names are typically website-specific.

In some cases, unique user-specific identifiers are used in the database name, which could allow for the identification of authenticated users.

Websites such as Google Calendar, Google Keep, and YouTube, for example, create databases containing the authenticated user’s Google ID. Databases are created for all of the accounts a user is logged into.

The Google User ID can be used to uniquely identify a specific Google account, and can be used with Google APIs to fetch available information on the account owner, including a user’s profile picture, at a minimum.

“Not only does this imply that untrusted or malicious websites can learn a user’s identity, but it also allows the linking together of multiple separate accounts used by the same user,” FingerprintJS explains.

No user interaction is required for these data leaks to occur, as websites querying the IndexedDB API can learn of other sites in real-time.

FingerprintJS has created a demo page which, once accessed in a vulnerable browser, shows how the user’s identity is leaked, if they are logged into their Google account in the same browser.

To protect themselves, Safari, iOS, and iPadOS users could block JavaScript on all sites that are not trusted, which is a drastic and inconvenient option. On macOS, users could switch to a different browser.

“The only real protection is to update your browser or OS once the issue is resolved by Apple,” FingerprintJS concludes.

Related: Apple Patches iOS HomeKit Flaw After Researcher Warning

Related: Apple Patches Vulnerabilities That Earned Hackers $600,000 at Chinese Contest

Related: Apple Patches 42 Security Flaws in Latest iOS Refresh

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet