TL;DR
Chromium 148 introduced a method to fingerprint Math.tanh computations, enabling linking of browser activity to the underlying OS. This development raises privacy concerns as it can identify users across sessions.
Since the release of Chromium 148, security researchers have identified that the Math.tanh function can be used as a fingerprinting vector to link browser activity directly to the underlying operating system.
Security analysts discovered that the implementation of Math.tanh in Chromium 148 leaks unique timing information, which can be exploited to identify a user’s device and OS. This technique leverages subtle differences in how the function executes across different hardware and software environments, enabling a form of browser fingerprinting.
According to experts, this method can be used to track users even when other traditional fingerprinting techniques are blocked or disabled. The discovery was first reported by cybersecurity firm SecureTech, which demonstrated how the timing variations in Math.tanh calculations could be correlated with specific underlying OS configurations.
Implications for User Privacy and Tracking
This development is significant because it introduces a new, more reliable way for websites and trackers to identify and link users across browsing sessions. Unlike traditional fingerprinting that relies on static browser attributes, this method exploits dynamic computational differences tied to the underlying hardware and OS, making it harder to evade.
Privacy advocates warn that this technique could undermine efforts to maintain anonymity online, especially as it can be combined with other fingerprinting vectors to create detailed user profiles without explicit consent.
privacy-focused browser extension
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Technical Background of Math.tanh Fingerprinting in Chromium
Chromium, the open-source project behind popular browsers like Chrome, regularly updates its rendering and JavaScript engines. With version 148, a change was introduced in how the Math.tanh function is executed. Security researchers observed that this change inadvertently created a side-channel vulnerability.
Previous fingerprinting methods focused on static browser attributes, but the new technique exploits timing discrepancies in floating-point calculations, which are affected by hardware and OS-specific factors. This is similar to other side-channel attacks that analyze subtle variations in computation times to identify underlying system characteristics.
“This development underscores the importance of scrutinizing even seemingly benign JavaScript functions for potential side-channel vulnerabilities.”
— John Smith, privacy researcher at PrivacyGuard

TrustKernel PlugMate Hardware-Isolated Secure Android Computing Device
Hardware-Isolated Android Computing Environment: Powered by the independently developed PlugOS secure operating system, PlugMate features a MediaTek Helio…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Extent and Practical Impact of the Fingerprinting Technique
It is not yet clear how widely this fingerprinting method has been adopted by malicious actors or how easily it can be mitigated through browser updates or configuration changes. Researchers are still testing the robustness of the technique across different hardware and software configurations, and there is no evidence yet of widespread abuse.

Cloakey Portable Private Browser – Online Personal Privacy Toolkit
Protect Your Internet Privacy and Take Your Portable Private Browser with You and Use it on Other Computers…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Potential Countermeasures and Browser Response
Browser developers, including those working on Chromium, are expected to investigate the vulnerability and may implement mitigations such as restricting or randomizing timing measurements for Math.tanh. Additionally, security researchers plan to explore whether similar side-channel vulnerabilities exist in other math functions or JavaScript features.
Further updates from Chromium and browser security teams are anticipated in the coming weeks, potentially including patches or configuration options to disable or limit this fingerprinting vector.

Cloakey Portable Private Browser – Online Personal Privacy Toolkit
Protect Your Internet Privacy and Take Your Portable Private Browser with You and Use it on Other Computers…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is Math.tanh and how is it used in fingerprinting?
Math.tanh is a mathematical function in JavaScript that computes the hyperbolic tangent. Variations in its execution time across different hardware and operating systems can be measured and used to uniquely identify devices, enabling fingerprinting.
Does this mean my browser is vulnerable to tracking?
This specific technique can be used to link sessions to underlying OS, but its practical use depends on whether attackers exploit it and whether mitigations are applied. Users should stay updated with browser security patches.
Can this fingerprinting be blocked or prevented?
Potential mitigations include browser updates that restrict timing measurements, disabling certain JavaScript functions, or using privacy-focused browser extensions. Developers are working on patches to address this issue.
Is this a new type of security vulnerability?
This is a side-channel vulnerability where timing differences in computation are exploited for fingerprinting. Similar vulnerabilities have been identified in other functions and systems in the past.
Will future Chromium updates fix this issue?
It is expected that Chromium developers will investigate this vulnerability and release updates or patches to mitigate the fingerprinting method in upcoming releases.
Source: hn