FingerprintJS published an article that exposes Safari vulnerability noting that “Safari 15’s implementation of the IndexedDB API that lets any website track your internet activity and even reveal your identity.” FingerprintJS published a demo site https://safarileaks.com/ that shows vulnerability in action.
FingerprintJS noted that the possible leak is due to opening websites in different tabs and how IndexedDB interacts with the same-origin policy. The private mode is also affected by the leak bug. Many popular websites such as Google, WhatsApp, youtube, Instagram, etc.
While opening the safarileaks webpage in one tab and opening youtube on the other tab shows, “Your browser currently leaks 5 database names.”
Following Alexa’s top 1000 websites are affected by the bug among many others: alibaba.com, anchor.fm, app.slack.com, bloomberg.com, boston.com, calendar.google.com, cnet.comcomputerworld.com, ctvnews.ca, developers.google.com, dropbox.com, globalnews.ca, huffingtonpost.com, indiegogo.com, instagram.com, keep.google.com, netflix.com, nymag.compexels.com, rollingstone.com, standard.co.uk, stitcher.com, theglobeandmail.com, timeout.com, twitter.com, vk.com, weather.com, web.whatsapp.com, xbox.com and youtube.com.
Unfortunately, there is no fix at the moment in macOS or iOS. Apple users are at the mercy of Apple to fix this. The only safer alternative is to use other browsers to avoid the issue. If Apple can hear us, Apple, can you do something sooner, pretty please?