Safari 15 IndexedDB Leaks

Update (January 26, 2022):

Apple released iOS and iPadOS 15.3 and macOS Monterey 12.2 software updates that fix this vulnerability (CVE-2022-22594).

What is this vulnerability and who is affected?

This demo showcases information leaks resulting from an IndexedDB same-origin policy violation in WebKit (a browser engine primarily used in Safari, as well as all iOS and iPadOS web browsers). You can test this demo on all affected browsers: Safari 15 on macOS, or any browser on iOS and iPadOS 15.

The demo illustrates how any website can learn a visitor's recent and current browsing activity (websites visited in different tabs or windows) using this leak. For visitors, logged into Google services, this demo can also leak Google User IDs and profile pictures.

The demo detects the following websites:

* Requires an authenticated session

This is not an exhaustive list of affected websites. All websites that interact with the IndexedDB API can potentially be detected.