A new Safari vulnerability disclosed by FingerprintJS, can leak recent browsing history and some information of your logged-in Google account.
The bug was introduced in Safari 15 implementation of the IndexedDB API that lets any website track your internet activity and even reveal your identity.
Proof of Concept
Using the exploit described in the blog post, a nefarious site could scrape your Google User ID and then use that ID to find out other personal information about you, as the ID is used to make API requests to Google services. In the proof-of-concept demo, the user’s profile picture is revealed.
Apple Working on a fix
All current versions of Safari on iPhone, iPad and Mac are exploitable. FingerprintJS says they reported the bug to Apple on November 28, but it has not yet been resolved.
Apple engineers began working on the bug as of Sunday, have merged potential fixes, and have marked our report as resolved. However, the bug continues to persist for end users until these changes are released.