Apple reported the issue last year.
FingerprintJS experts have determined that the problem exists in Safari 15 on all devices. The vulnerability also provides access to data in other browsers on iOS 15 and iPadOS 15.
Due to the use of the IndexedDB standard, the software saves data on users' devices. Normally, only the site for which it was created can access its database.
But in Safari, with each such access attempt, new empty databases are created for all windows and tabs – with the same names as original. As a result, third-party resources see what other pages are visited.
In addition, YouTube, the calendar and other Google services store user logins in the names of their local databases. Using them, cybercriminals can also obtain other data, such as the last name, first name, and account photo.
You can see how this works on a special website created by FingerprintJS – it shows recent activity in Safari. Experts reported the problem to Apple on November 21, 2021, but the vulnerability has not yet been closed.