• Category: Security
  • Status: confirmed
  • Sources: Scrapfly write-up, HN discussion
  • Summary: Since Chromium 148 (V8 14.8.57, commit c1486295ae5), Math.tanh calls the host operating system math library (std::tanh) instead of the bundled fdlibm implementation, so the last-bit result now varies by OS. Math.tanh(0.8) returns distinct values on Linux (glibc libm), macOS (libsystem_m), and Windows (UCRT ucrtbase.dll), giving JavaScript an OS signal independent of the user-agent string. IEEE 754 does not require correctly rounded transcendental functions, so each library uses different polynomial coefficients and produces results differing by about one unit in the last place.
  • Comments: HN commenters read it as an argument for correctly rounded transcendental functions and note that IP address plus user-agent already fingerprints most users.
  • Why it matters: A single arithmetic call now leaks the underlying OS behind a spoofed user-agent across all Chromium-based browsers, adding a signal that is hard to mask without reimplementing the math functions.

Send feedback on this story