A vulnerability in Safari allows any website to know the latest…

0
40
safari.jpg
safari.jpg

This week the company FingerprintJS has published an article on its blog reporting a serious vulnerability in Safari that allows any website to know user information about the last visited web pages or even the image associated with your Google account.

This vulnerability occurs because Safari’s (WebKit) implementation of the technology IndexedDB, which allows web pages to store information in the browser, does not apply the security policy Same-origin to ensure that only pages from the same domain can access the list of databases created by them.

The Safari vulnerability allows any website to know which are some of the last websites that we have browsed.

While it is true that this vulnerability does not allow access to the content of the database itself, if it allows to know the name of all the databases created in the browser, regardless of the website that created them. These databases usually carry the name of the website or even a unique identifier of the user, which allows other websites to know where we have been browsing.

To check for ourselves the scope of this vulnerability, or if our browser is really affected, they have published a test where to see some of the information that our browser is filtering.

This vulnerability can be exploited in Safari 15 and other WebKit-based browsers. It was reported last November 2021, but it has not been resolved yet, so it is possible that in the next few days we will see a new update to solve it by Apple.

SEE ALSO  This mobile is a bargain in Spain: Motorola G04 for 129 euros with 128 GB of memory

Until then, there is no effective way to mitigate it other than using another browser, or temporarily disabling Javascript on web pages you don’t trust. Another solution would be to use the incognito mode of the browser, as long as we do not navigate between different websites in the same browser tab.

For more information, you can consult the FingerprintJS original article.