![[The AI Show Episode 143]: ChatGPT Revenue Surge, New AGI Timelines, Amazon’s AI Agent, Claude for Education, Model Context Protocol & LLMs Pass the Turing Test](https://www.marketingaiinstitute.com/hubfs/ep%20143%20cover.png)
![[DEALS] Microsoft Visual Studio Professional 2022 + The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From Accountant to Data Engineer with Alyson La [Podcast #168]](https://cdn.hashnode.com/res/hashnode/image/upload/v1744420903260/fae4b593-d653-41eb-b70b-031591aa2f35.png?#)
.png?#)
![Apple TV+ Summer Preview 2025 [Video]](https://www.iclarified.com/images/news/96999/96999/96999-640.jpg)
![Apple Watch SE 2 On Sale for Just $169.97 [Deal]](https://www.iclarified.com/images/news/96996/96996/96996-640.jpg)
![Apple Posts Full First Episode of 'Your Friends & Neighbors' on YouTube [Video]](https://www.iclarified.com/images/news/96990/96990/96990-640.jpg)
Google to Patch 23-years Old Chrome Vulnerability That Leaks Browsing History
Google has announced a significant security improvement for Chrome version 136. This update addresses a 23-year-old vulnerability that could allow malicious websites to snoop on users’ browsing histories. The fix, called “:visited link partitioning,” makes Chrome the first major browser to completely eliminate this long-standing privacy risk that has plagued web browsers since the early […] The post Google to Patch 23-years Old Chrome Vulnerability That Leaks Browsing History appeared first on Cyber Security News.
Google has announced a significant security improvement for Chrome version 136. This update addresses a 23-year-old vulnerability that could allow malicious websites to snoop on users’ browsing histories.
The fix, called “:visited link partitioning,” makes Chrome the first major browser to completely eliminate this long-standing privacy risk that has plagued web browsers since the early days of CSS.
The Purple Link Issue
Since the web’s early days, browsers have used the CSS :visited selector to style links users have previously clicked, typically turning them purple. This seemingly innocent feature has harbored a serious security flaw that security researchers have warned about for decades.
“What happens when you click a link? It turns purple!” explains Google in its announcement. This color change occurs because browsers apply special styling using the CSS :visited selector:
However, this traditional implementation allowed any website to detect whether a visitor had previously accessed specific URLs by checking if the browser rendered those links as “visited,” effectively leaking browsing history across different sites.
The core problem stems from how browsers maintained a global, unpartitioned list of visited URLs.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
This meant that if a user visited Site B through a link on Site A, any other website could later determine that the user had visited Site B, even if the user never clicked a link to Site B from that third site.
Malicious websites could create invisible links to thousands of popular websites and use various techniques to detect which ones the browser styled as :visited, creating an effective fingerprinting mechanism that revealed users’ browsing patterns.
How Partitioning Fixes The Problem
Chrome’s solution implements “partitioning” that associates visited links with their original context. Instead of maintaining a single global history list, Chrome will now store visited links alongside information about where they were clicked, including:
- The link URL
- The top-level site
- The frame origin
“Partitioning protects your browsing history by only showing a link as visited if you’ve clicked on that link from this site before,” Google explains.
“This effectively prevents cross-site history leaks while preserving the user experience benefit of visited link styling”.
Self-Links Exception
To maintain usability, Chrome has implemented a “self-links carveout” that allows websites to display their own subpages as visited, even if the user accessed them from a different site.
Google justifies this exception by noting that “sites have other methods of tracking whether a user has visited its subpages,” so no new privacy risk is introduced.
This carveout only applies to a site’s own subpages. Links to third-party sites or in third-party iframes remain strictly partitioned, enforcing proper security boundaries.
The fix is launching with Chrome version 136, making Google’s browser the first to solve this decades-old security vulnerability completely. Other browsers have previously implemented partial mitigations that slowed down such attacks but did not eliminate them entirely.
Security experts have praised this approach as the right balance between maintaining web compatibility and protecting user privacy, addressing a vulnerability that has persisted since the CSS specification first introduced the :visited selector functionality.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
The post Google to Patch 23-years Old Chrome Vulnerability That Leaks Browsing History appeared first on Cyber Security News.
