A software flaw in Apple Safari 15’s implementation of the IndexedDB API could be used by a malicious website to track users’ online activities and worse expose their identities.
IndexedDB is a low-level JavaScript API for maintaining NoSQL databases of structured data items such as files and blobs that are supplied by web browsers. It is supported by all major browsers.
Scripts with multiple origins should not be allowed to interact with databases since indexed databases are associated with their respective origin. However, FingerprintJS discovered that the IndexedDB API in Safari 15 on macOS and browsers for iOS and iPadOS 15 devices violates the same-origin restriction.
Same-origin is a basic security feature that assures that resources retrieved from different origins — that is, a URL’s scheme (protocol), host (domain), and port number — are isolated from one another. Because they employ distinct schemes, “http://example.com/” and “https://example.com/” are not of the same origin.
The idea is to isolate potentially malicious scripts and reduce attack vectors by preventing a malicious website from running arbitrary JavaScript code to read data from another domain, such as an email service. This can be achieved by restricting how a script loaded by one origin can interact with a resource from another origin.
Affected versions
Only Apple safari 15.x versions are affected on macOS by this vulnerability.
Mitigation
Apple has not released any patch for this vulnerability.
Qualys Detection
Qualys customers can scan their devices with QID 376307 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/
https://www.securityweek.com/safari-15-vulnerability-allows-cross-site-tracking-users
https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.html