This week the company FingerprintJS has published an article on its blog reporting a serious vulnerability in Safari that allows any website to know user information about the last visited web pages or even the image associated with your Google account.
This vulnerability occurs because Safari’s (WebKit) implementation of the technology IndexedDB, which allows web pages to store information in the browser, does not apply the security policy Same-origin to ensure that only pages from the same domain can access the list of databases created by them.
The Safari vulnerability allows any website to know which are some of the last websites that we have browsed.
While it is true that this vulnerability does not allow access to the content of the database itself, if it allows to know the name of all the databases created in the browser, regardless of the website that created them. These databases usually carry the name of the website or even a unique identifier of the user, which allows other websites to know where we have been browsing.
To check for ourselves the scope of this vulnerability, or if our browser is really affected, they have published a test where to see some of the information that our browser is filtering.