A software bug introduced in Apple Safari 15’s implementation of the IndexedDB API could be abused by a malicious website to track users’ online activity in the web browser and worse, even reveal their identity.
The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021.
“Like most web storage solutions, IndexedDB follows a same-origin policy,” Mozilla notes in its documentation of the API. “So while you can access stored data within a domain, you cannot access data across different domains.”
Same-origin is a fundamental security mechanism that ensures that resources retrieved from distinct origins — i.e., a combination of the scheme (protocol), host (domain), and port number of a URL — are isolated from each other. This effectively means that “http[:]//example[.]com/” and “https[:]//example[.]com/” are not of the same origin because they use different schemes.
images from Hacker News