Google recently addressed high-severity issues that could lead to unauthorized access to sensitive data in its browser. However, their latest patch focuses on an enduring vulnerability, one that could have compromised user privacy by allowing websites to snoop on users' browsing habits. According to a recent blog post, the vulnerability stemmed from the :visited CSS selector. This selector allowed websites to style links in different colors if a user had previously clicked them, enabling malicious sites to determine which links had been visited based on their color.

Receive the latest Google news

Google emphasized that the flaw is more than just a privacy issue; it is considered a "core design flaw" that poses real security risks, including tracking, profiling, and phishing attacks. Without correcting this flaw, it could lead to scenarios where a malicious site could learn about users' browsing histories.

For example, when a user clicks a link from Site A that directs them to Site B, that link gets recorded in the user's :visited history. If the user later visits a malicious site (let's call it Site Evil) that links to Site B, without the right protections in place, Site Evil could see that link styled as :visited, revealing to them that the user has visited Site B before. This exploitation would leak sensitive browsing history information.

Chrome's latest update introduces triple-key partitioning, a game-changing feature that changes how visited links are tracked. This new system ensures that Chrome considers three specific factors— the link's actual URL, the top-level site being visited, and the frame origin where the link is displayed—before marking a link as visited. This enhancement protects user privacy by preventing cross-site tracking of visited links.