IndexedDB, an API compatible with the main browsers and that works as a database to save a large amount of information from web pages, has a bug in Safari which is a significant privacy issue. This error, in particular, allows websites that use the aforementioned tool to access data from other pages, the user’s private information and their search history, as has been discovered. FingerprintJS.
The API, commonly used by developers, is designed to create a unique database for a website. That is, the stored information can only be accessible by that same page, and not by third parties. Instead, the bug from Safari’s WebKit allows the arbitrary web to access the databases of those pages opened in a tab or window.
“Every time a website interacts with a database, a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session.”
The problem with this Safari bug goes beyond a clear violation of the user’s private data. As explained by the aforementioned portal, some of the websites that use IndexedDB usually store a unique user identifier. YouTube, for example, stores the Google user ID in that database. This includes public information that can be accessed by malicious websites to identify the user, such as the profile image.
Is there a fix for the IndexedDB bug in Safari and Chrome on iOS 15?
The exploit mainly affects Safari 15, the version of Apple’s browser available in iOS 15, iPadOS 15, and macOS Monterey. However, other browsers that work on the mentioned versions of the different operating systems have also been affected. One of them is Google Chrome on iOS, since it uses WebKit, Apple’s browser engine where the IndexedDB API is included.
At the moment, there is no definitive method to prevent websites from accessing the database of other pages opened in the same browser. In fact, the bug also applies to private tabs in Safari or Chrome. The only way to prevent the data from being accessible by other websites is to block the execution of JavaScript in the browser. However, this can make some important elements of a website, such as images, videos, etc. are not visible. Apple is likely to release a patch in the next few hours to fix the bug. Therefore, it is recommended to periodically check for available updates for iOS, iPadOS or Safari and Chrome.