However, this traditional implementation allowed any website to detect whether a visitor had previously accessed specific URLs by checking if the browser rendered those links as “visited,” effectively leaking browsing history across different sites. To maintain usability, Chrome has implemented a “self-links carveout” that allows websites to display their own subpages as visited, even if the user accessed them from a different site. The fix, called “:visited link partitioning,” makes Chrome the first major browser to completely eliminate this long-standing privacy risk that has plagued web browsers since the early days of CSS. Google justifies this exception by noting that “sites have other methods of tracking whether a user has visited its subpages,” so no new privacy risk is introduced. Security experts have praised this approach as the right balance between maintaining web compatibility and protecting user privacy, addressing a vulnerability that has persisted since the CSS specification first introduced the :visited selector functionality. Malicious websites could create invisible links to thousands of popular websites and use various techniques to detect which ones the browser styled as :visited, creating an effective fingerprinting mechanism that revealed users’ browsing patterns. This meant that if a user visited Site B through a link on Site A, any other website could later determine that the user had visited Site B, even if the user never clicked a link to Site B from that third site. The fix is launching with Chrome version 136, making Google’s browser the first to solve this decades-old security vulnerability completely. “This effectively prevents cross-site history leaks while preserving the user experience benefit of visited link styling”. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Apr 2025 11:55:06 +0000