Last week, security researcher Martin Bajanik published details about a security vulnerability in Safari 15, which allows sites to see the names (but not the contents) of databases saved by other websites. This can potentially serve as a fingerprinting method, but Apple is seemingly close to releasing a fix on both macOS and iOS.

The security issue is related to IndexedDB, a web API that allows sites to store large amounts of data in the browser. Bajanik said in a blog post, "every time a website interacts with a database [on Safari 15], a new (empty) database with the same name is created in all other active frames, tabs, and windows within the same browser session." This allows sites to see the names, but not the contents, of databases created by other sites. It's unlikely that any personal data can be leaked with this method, but a malicious site or script could check and record other sites you have visited that use IndexedDB — potentially allowing for fingerprinting and other (minor) privacy violations. The website safarileaks.com was created as a demonstration of the problem.

Thankfully, it looks like Apple is working quickly to fix the bug. The iOS/iPadOS 15.3 Release Candidate was rolled out to developers earlier today, as well as the macOS 12.2 RC, which both have a patched version of Safari 15.

Now that the bug has been fixed in a Release Candidate, it should roll out to everyone fairly soon. In the meantime, you can use a different web browser on macOS. There's no workaround on iOS and iPadOS, since Apple does not allow third-party rendering engines on the mobile App Store.