Introduction
Google has rolled out Chrome version 136, and with it comes a major win for user privacy: the patching of a browser history leak that has persisted across browsers for over 20 years. This update addresses a long-standing flaw that allowed malicious websites to secretly check a user’s browser history—without permission. The fix reflects Google’s commitment to reinforcing privacy protections in the modern web browsing experience.
What Was the Two-Decade Privacy Flaw?
The issue is tied to how browsers render links that users have previously visited. For years, web developers have been able to use scripts to detect the color difference between visited and unvisited links—commonly known as the “visited link sniffing attack.” Even after partial mitigations rolled out in the past, including changes from as far back as Firefox 3.6 and Chrome 6 in 2010, the vulnerability never truly went away.
This flaw allowed websites to determine whether a user had visited specific URLs, effectively leaking browser history in a way that could be used for targeted advertising or other nefarious purposes. Chrome 136 finally seals off this vulnerability by enforcing stricter rules around link rendering and styling behaviors in the browser engine.
How Chrome 136 Fixes the Issue
With Chrome 136, Google has implemented a significant improvement to the handling of visited link styling. The fix involves changes to the underlying behavior in Chrome’s rendering engine, ensuring that style differences between visited and unvisited links cannot be programmatically detected through scripts.
- No styling feedback: Sites are no longer able to deduce whether a link was visited based on CSS properties such as color, size, or font weight.
- JavaScript restrictions: JavaScript can no longer be used to detect historical link visits based on rendering measurements.
- Uniform appearance: Visited and unvisited links now behave more uniformly from a rendering inspection perspective.
Why This Matters for Web Users
This change might seem technical, but its privacy implications are significant. Prior to this fix, websites could track your browsing habits even without cookies, simply by testing which URLs were previously visited. This history sniffing technique was used for behavioral profiling, marketing, and in some instances, more malicious tracking efforts.
By closing this loophole, Chrome enhances user privacy and limits how much information unauthorized parties can extract from your online behavior—even without your knowledge.
Wider Industry Implications
Google’s move could influence other browser vendors to follow suit, if they haven’t already. Chrome is known for setting the tone in web standards and privacy features, and this fix puts pressure on browsers like Safari, Edge, and Firefox to re-examine how they handle visited link styling at a fundamental level.
It also serves as a reminder that even long-standing web features need constant review to ensure they align with today’s security and privacy standards.
Key Takeaways
- Chrome 136 patches a 20-year-old privacy flaw related to visited link styling.
- Malicious websites can no longer use scripts to detect which URLs you’ve previously visited.
- This update greatly improves user privacy and limits silent tracking techniques.
- Google is reinforcing its role in advancing web security and privacy with practical updates like this.
Final Thoughts
It’s rare for web security stories to involve vulnerabilities that have existed since the early days of the internet. But Chrome 136 proves that no flaw is too old to fix—especially when it impacts millions of users. As cyber threats continue to evolve, browser vendors must stay vigilant in protecting users’ data. Chrome’s latest update is not just a patch; it’s a privacy milestone.
If you’re using Google Chrome, make sure to update to version 136 to take full advantage of this critical security improvement. Your browsing history deserves to stay private—finally, it can.