Full Report
Google is fixing a long-standing privacy issue that, for years, enabled websites to determine users' browsing history through the previously visited links. [...]
Analysis Summary
# Vulnerability: Browser History Privacy Leak Mitigation in Chrome (Self-Links Exception)
## CVE Details
- CVE ID: Not explicitly provided in the text. This summary covers a feature addition/fix rather than a single reported CVE.
- CVSS Score: N/A
- CWE: N/A (Addresses privacy leak defense rather than exploitation of a specific vulnerability)
## Affected Systems
- Products: Google Chrome
- Versions: Versions prior to 136 (specifically 132 through 135, where the feature was experimental). Chrome 136 is the release where it is expected to be default on.
- Configurations: All configurations are potentially affected by the historical privacy risk related to the `:visited` selector.
## Vulnerability Description
For approximately 20 years, the CSS `:visited` selector allowed websites to potentially infer a user's browsing history by observing stylistic changes to links based on whether the user had previously visited them. Chrome 136 addresses this by implementing link partitioning. This ensures that a link will only appear as `:visited` on the originating site and frame origin where the user clicked it, largely eliminating cross-site history leaks. An exception, called the "self-links" exception, was added to preserve usability, allowing visited links to retain their visited status *on the same site* even if clicked from another location.
## Exploitation
- Status: The underlying privacy risk (history leakage via `:visited`) has historical relevance; the fix in Chrome 136 mitigates this vector.
- Complexity: N/A (Fixing the underlying privacy risk)
- Attack Vector: N/A
## Impact
- Confidentiality: High (Potential exposure of browsing history to third parties)
- Integrity: Low
- Availability: Low
## Remediation
### Patches
- **Chrome 136:** The partitioning logic, including the self-links exception, is expected to be turned on by default.
### Workarounds
For users on Chrome versions 132 through 135, the feature can be manually enabled:
1. Navigate to `chrome://flags/#partition-visited-link-database-with-self-links`
2. Set the option to 'enabled.'
## Detection
- Detection is focused on ensuring browsers are updated to Chrome 136 or later, or verifying the flag setting is enabled on older versions.
- Monitoring for specific browser versions updating is the primary method.
## References
- Vendor Advisories: Google / Chrome Security Updates (Implied via the release of Chrome 136)
- Relevant links:
- bleepingcomputer com/news/security/chrome-136-fixes-20-year-browser-history-privacy-risk/
- github com/explainers-by-googlers/Partitioning-visited-links-history (for proposal details)