Since Chromium 148, Math.tanh is now fingerprintable to link underlying OS(scrapfly.dev)
408 points by joahnn_s 16 hours ago | 198 comments
tl;dr: Since Chrome 148, V8 replaced its bundled fdlibm `Math.tanh` with `std::tanh`, which calls the host libm (glibc, Apple libsystem_m, or UCRT) and returns OS-specific bit patterns—making a single `Math.tanh(0.8)` call enough to identify the underlying OS and catch User-Agent spoofers. CSS trig functions and Web Audio leak similarly across different libraries (including Apple's Accelerate for FFTs). The author (Scrapfly) details how they defeat this by reproducing Apple's libm bit-for-bit or memory-mapping Windows' ucrtbase.dll directly, matching the claimed OS's rounding exactly rather than adding noise.
HN Discussion:
  • Article/author is self-serving; scraping companies like Scrapfly worsen the fingerprinting arms race
  • Correctly rounded transcendental functions would solve this fingerprinting vector
  • ~Fingerprinting is so pervasive that resisting OS-level fingerprinting is essentially futile
  • ~Simple JS-side noise injection could mitigate the tanh fingerprint
  • Skepticism about technical framing — tanh implementation details or fingerprint significance are overstated