Update: iOS 15.3 and macOS 12.2 have fixed this issue, so if you’re up to date then you don’t need this workaround.
There’s been a shocking disclosure made by fingerprintJS that revealed a critical bug in Safari 15’s
indexedDB implementation: it breaks the Same-Origin policy by revealing databases belonging to other websites. This allows any website to uniquely identify you, as well as reveal identifying information like your Google account IDs. You can read more on fingerprintJS’s blog: https://fingerprintjs.com/blog/indexeddb-api-browser-vulnerability-safari-15/
As a workaround, I wrote a userscript that will overwrite the
indexedDB.databases() function to a dummy one that returns an empty list, effectively preventing access to the database list. I’m not familiar with
indexedDB, so I’m not sure if this is a bulletproof fix or whether it’ll break websites, but it should at least prevent most exploitation attempts. This is also incredibly useful on iOS, where you cannot use any browser engine besides Safari, even in third-party browser apps.
To start, install the Userscripts app made by Justin Wasack: https://apps.apple.com/us/app/userscripts/id1463298887?l=en
Afterwards, launch the app and choose a path to a folder where you’ll be storing your userscripts (I recommend creating a folder in iCloud). Once that’s done, download the userscript and put it into the folder you’ve created. You’ll also need to enable the Userscripts extension in Safari settings.
Link to download the userscript: Download (v1.3)
You can check if the userscript worked by using this website: https://safarileaks.com
I hope that this article helped you, and please let me know your thoughts in the comment section below. I hope that Apple will provide a fix for this bug soon as it’s quite severe.
Safari icon by fasticon.com