Google Patches 23-Year-Old Chrome Vulnerability That Leaked Browsing History

Although Chrome itself has not yet reached its 23rd anniversary, the history of web browsers stretches much further back. A recently patched vulnerability by Google theoretically affects all browsers and could allow online advertisers to infer users’ browsing histories—thereby enabling the delivery of targeted ads.

The exploit is deceptively simple. Typically, hyperlinks on a webpage are displayed in blue, signaling to users that the text is clickable. Once a user clicks the link, the color often changes to purple (though not universally), providing a visual cue that the link has already been visited.

This behavior is controlled via CSS. By applying the “:visited” pseudo-class in a stylesheet, a developer can define a different color for visited links. When a browser detects that a hyperlink’s destination exists in the user’s browsing history, it renders the link using the “:visited” style—typically a different hue.

Advertisers and third-party scripts capable of executing on webpages can exploit this mechanism. By embedding specific links and then observing the applied CSS styles, they can deduce whether a user has visited those URLs. If the color indicates a link was visited, it suggests user interest, which can then be leveraged to serve personalized advertisements.

A Google software engineer explained in a blog post:

“These attacks can reveal which links a user has visited and leak details about their web browsing activity. This security problem has plagued the web for over 20 years, and browsers have deployed various stop-gaps to mitigate these history detection attacks. While the attacks are slowed down by these mitigations, they are not eliminated.”

Notably, feedback on this issue had long existed in Chromium’s issue tracker, but Google had previously marked it as “Won’t Fix” on two occasions. Only now has the company resolved to address the problem head-on.

The patch has been incorporated into Chrome Beta v136, with the stable release of Chrome 136 scheduled for April 23—making it the first browser to fully close this longstanding security loophole.

Previously, this vulnerability was difficult to eliminate because the visual indication of visited links required the browser to check against the user’s history. Chrome’s engineers resolved the dilemma by introducing a partitioning model for visited links rather than maintaining a global history list.

In essence, partitioning means storing visited link data alongside contextual information such as the link URL, the top-level domain (i.e., the website the user is visiting), and the iframe origin. With this approach, the “:visited” styling no longer references a global history accessible to all sites. Instead, it is constrained by the context in which the user initially accessed the link. As a result, trackers can no longer infer visited URLs hosted outside of their own domain.