Security researchers have demonstrated a new side‑channel that lets a web page infer which apps and sites a visitor is using by measuring SSD latency from JavaScript. The method, dubbed FROST, leverages the browser’s Origin‑Private File System to perform random reads on a large file and capture contention caused by other processes.

The attack trains a convolutional neural network on latency traces, enabling classification of new traces to fingerprint user activity. Researchers needed a file of at least a gigabyte, which makes large‑scale exploitation noisy and likely to be spotted. They tested the full workflow on an M2 Mac, and showed the primitive works on Linux, though they did not evaluate Windows.

Mitigations include closing unused tabs and monitoring OPFS file creation; browser vendors could cap file size to blunt the channel. No evidence suggests FROST attacks have been observed in the wild, but the proof‑of‑concept raises concerns for privacy‑focused browsers and enterprise environments that rely on SSD isolation. The findings will be presented at DIMVA in July.

Developers can also disable the Origin‑Private File System for untrusted origins or require user permission before allocating large files. While the attack’s practicality hinges on users keeping large OPFS files open, its existence underscores a broader trend of side‑channel research targeting web APIs. Browser teams now face pressure to close this leakage path before it becomes exploitable at scale.