If you care about your privacy, you should turn off your iPhone, after a serious implementation bug in Safari, any website is able to read some of your private data and recent browsing history, even using the mode of private navigation.
The problem lies in how Safari implements IndexedDB, a browser-based database commonly used by web applications. Most browsers create a new instance of IndexedDB for each website, accessible only from that website.
Safari however creates empty versions of IndexedDB created by every webpage in every other webpage, which means that for IndexedDB, Safari does not correctly enforce the same-origin policy.
Even if IndexedDB shadow copies created for other web pages are empty, they still have the same name as the actual database created by the original web application, which may leak private information. The mere presence of the database will let other web pages know that you have visited another website. For example, the presence of Netflix IndexedDB could tell Amazon that you are a Netflix user. Even worse, however, the database name can leak your credentials. For example, the database name of Google applications (such as Gmail or YouTube) includes your Google ID, which can be used to access your publicly available information, such as your profile picture.
The bug was discovered and reported by FingerprintJS on November 28, but so far Apple has taken no action.
You can test the issue on the FingerprintJS proof-of-concept website here, which will check if you’ve recently visited 30 different major websites.
On macOS users can and should use another browser, but on iOS all browsers use the Safari web engine, which means all iPhone users have no mitigation except to stop using the browser on their phone.
Watch the FingerprintJS how-to video below:
via the edge