Block Client.js functions to prevent fingerprinting on private tabs

[luixxiul]

Describe the issue you encountered: On community it is reported that Client.js can be used to track us by fingerprinting, while fingerprinting protection mode is enabled.

PoC site: http://nothingprivate.ml/

https://clientjs.org/#Fingerprints shows that this code let the site get fingerprint:

<script>
    var client = new ClientJS(); // Create A New Client Object
    var fingerprint = client.getFingerprint(); // Get Client's Fingerprint
    console.log( fingerprint );
</script>

There is a bunch of functions which can be used for tracking by combining them. I think they need to be investigated as well.

• Platform (Win7, 8, 10? macOS? Linux distro?): All

• Brave Version (revision SHA): master

• Steps to reproduce:

  1. Open https://clientjs.org in a normal tab
  2. Open https://clientjs.org in a private tab

• Actual result: Both display the same fingerprint value

• Expected result: either fingerprint value should not be displayed or it should be different

• Extra QA steps: 1. 2. 3.

• Any related issues:

[luixxiul]

note: by disabling javascript the browser gets undetectable quite well:

Finally getting the score with scripts disabled, I am not sure how much disabling the traditional fingerprinting methods actually effective are today...

[luixxiul]

fyi on the PoC site (http://nothingprivate.ml/) TorBrowser is not detected.

[FabioWidmer]

I think this is a quite big privacy issue. Is there an ETA for this issue?

[jonathansampson]

I've received a couple reports from users this past week who would also like to see Client.js blocked.