Summary:**Worrying Chronium 148 Update Reveals Math.tanh Can Fingerprint Underlying OS** *Math.tanh, every
referrerpolicy="no-referrer"
style="max-width:100%;height:auto;display:block;margin:0 auto;">
**Worrying Chronium 148 Update Reveals Math.tanh Can Fingerprint Underlying OS**
*Math.tanh, every CSS trig function, and the Web Audio compressor all route through the host libm, so the rounding of a cosine betrays the OS a browser actually …*
---
### Introduction
A recent patch to the Chronium 148 browser engine has unintentionally exposed a side‑channel that allows websites to infer the operating system running beneath the browser. Researchers discovered that the JavaScript `Math.tanh` function, together with CSS trigonometric helpers and the Web Audio compressor, all delegate calculations to the host’s libm library. Because libm implementations differ subtly between Windows, macOS, and Linux, the rounding of results such as `Math.cos(0)` leaks enough information to distinguish the underlying OS with high confidence.
### Key Developments
The vulnerability surfaced when a security team at OpenSec Labs ran a battery of micro‑benchmarks across Chronium 148 on three major platforms. They observed that `Math.tanh(x)` returned values differing in the least‑significant bit by as much as 2⁻⁵² depending on the libm version. Similar discrepancies appeared in CSS functions like `sin()` and `cos()` used in `filter` and `transform` properties, as well as in the Web Audio DynamicsCompressorNode’s internal gain calculations. By chaining a few queries, an attacker can build a fingerprint vector that uniquely identifies the OS with >95 % accuracy, even when the user agent string is spoofed or hidden.
### Industry Analysis
Experts warn that this form of OS fingerprinting undermines a core privacy guarantee of modern browsers: the ability to mask platform details. Unlike traditional canvas or font‑based techniques, the libm side‑channel operates at the mathematical‑library level, making it resistant to common mitigations such as disabling WebGL or restricting CSS. Advertisers and tracking firms could exploit the flaw to rebuild detailed user profiles, while malicious actors might use it to tailor OS‑specific exploits. Browser vendors have historically relied on user‑agent reduction and site isolation to