On January 14th, FingerprintJS disclosed a critical vulnerability in WebKit that affects both Safari on Desktop and all mobile browsers on iOS and iPadOS.
The bug that they discovered is related to a security concept that prevents trackers from reading information from other sites (“same-origin policy”). In this case, data stored by websites via an API called IndexedDB is available to any script running in the browser.
FingerprintJS first reported the issue to Apple on November 28th 2021, but only after its disclosure in January 2022 it received public attention.
Today, we released Ghostery 9.2.0 for Safari. It ships with the first mitigation of the attack to protect Safari users.
We hope that Apple will release a fundamental improvement soon with a new release of their desktop browser and new version of iOS and iPadOS - but that takes time.
For this vulnerability, we were able to provide a mitigation in the Ghostery extension. And being an extension allows us to roll it out independently of operating system updates. We believe it is our role to support the browser ecosystem in events like this.
Get a fix, download Ghostery.