Hackers can exploit this bug to obtain your Google User ID
The bug allows any website that uses the IndexedDB API for data storage to get the names of other websites opened by the user during a browsing session even if they are opened in a different tab or window. Affected sites also must use IndexedDB, which is known to hold “a significant amount of data.”
Some of these databases will expose user-specific identifiers that can be used by attackers to capture the name of the user. Apps that place these user-specific identifiers in their databases include YouTube, Google Calendar, and Google Keep.
Identifiers used with apps like YouTube, Google Calendar and Google Keep include a person’s Google User ID. You can prove this for yourself by opening Safarileaks.com on your iPhone or iPad’s mobile web browser. Follow the directions and depending on what sites you’ve recently visited, your Google User ID will appear along with the name of certain websites that you’ve recently opened.
Devices running iOS 14 or iPadOS 14 are not affected by the bug
With your Google User ID, a hacker can identify a specific Google account. Perhaps a bit more concerning, in combination with Google APIs, the bug could reveal your profile picture to a hacker at the least and much more personal information in the worst-case scenario.
One of the problems with this bug is that it doesn’t require that you do anything special to put yourself at risk. You don’t need to be tricked into tapping a link or opening a certain website. And FingerprintJS discovered that 30 of the top 1,000 visited sites (computed by Alexa) have IndexedDB right on their home page which makes it easy for an iPhone or iPad user to step right into this bug unwittingly.
And until Apple delivers the update, there really isn’t much that a user can do to avoid this. Mac users can switch browsers, but iOS and iPadOS users must stick with a browser that runs on the WebKit engine so that is not going to help much. One suggestion is to block all JavaScript by default and only allow it only on sites that are 100% trusted.