Workers test throwing unsupported on Safari 17.3 about creepjs HOT 10 OPEN

A vulnerability seems to be the case. Possibly connected with https://bugs.webkit.org/show_bug.cgi?id=243555.

from creepjs.

Apple assigned this vulnerability as CVE-2024-27830 and resolved the issue in Safari 17.5. Firefox's issues should be resolved in 127.

from creepjs.

Good catch. It's likely connected with the use of inline workers and modifications implemented here. I will investigate.

• #207

from creepjs.

I'm pondering on whether it is worth changing to support Safari. For now, the single file test page works on safari here.
https://abrahamjuliot.github.io/fpworker/

from creepjs.

Interesting. DedicatedWorkerGlobalScope in Safari 17.4 on both macOS and iOS is consistent with Window when it comes to canvas, but ServiceWorkerGlobalScope and SharedWorkerGlobalScope do not appear to be applying canvas fingerprinting protections and the hashes remain the same even in a private window. Maybe it's just a bug in your code, but have we found ourselves a fingerprinting vulnerability in Safari?

from creepjs.

Apple seems to disagree.

from creepjs.

It's likely determined low based on the severity of canvas entropy derived from Apple GPUs. Canvas protections, at best, probably only neutralize annoying cross site trackers.

WebKit hardware acceleration entropy seems fairly uniform within the same OS/browser version. ¯\_(ツ)_/¯

I imagine, they will consider and fix if feasible. I recall Brave had a similar issue and patched.

from creepjs.

You made me do this, Apple.

from creepjs.

As it turns out, I just discovered that this affects Firefox as well. Service Workers don't apply canvas protections.

from creepjs.

Nice. Thanks for the update @Joe12387

from creepjs.