Bug 262699 (CVE-2024-23206)

Summary: Persistent Tracking via fingerprint.com
Product: WebKit Reporter: Bug <bug.reporter.321>
Component: CanvasAssignee: Matthew Finkel <m_finkel>
Status: RESOLVED FIXED    
Severity: Major CC: aperez, dino, m_finkel, webkit-bug-importer, wenson_hsieh, wilander
Priority: P2 Keywords: InRadar
Version: Safari 17   
Hardware: Unspecified   
OS: iOS 17   

Description Bug 2023-10-05 07:28:54 PDT 
Dear all, I noticed that upon reset of ios device, the fingerprint on fingerprint.com will change but is stable afterwards, despite private mode and all protection active.
The change-on-reset event does not seem to make sense to me, unless fingerprint.com is able to escape from safari to read some (network?) property which changes orngets deleted on device reset, bit not in private mode.

It might be dropping an undeletable cookie somewhere or read some property it is not supposed to.
Where to discuss problems of this kind?
Thanks
Comment 1 Radar WebKit Bug Importer 2023-10-05 15:18:15 PDT 
<rdar://problem/116545792>
Comment 2 Matthew Finkel 2023-12-16 21:49:10 PST 
Pull request: https://github.com/apple/WebKit/pull/977
Comment 3 EWS 2023-12-18 06:49:42 PST 
Committed 267815.640@safari-7617-branch (36d57dc0f23f): <https://commits.webkit.org/267815.640@safari-7617-branch>

Reviewed commits have been landed. Closing PR #977 and removing active labels.
Comment 4 Bug 2023-12-19 07:00:37 PST 
Hello thanks for the quick reaction. Matthew could you contact me on my email to have little discussion how to proceed. There might be more to do, and the analysis of this stuff is exhausting for me. Thanks