The bug is in Safari’s IndexedDB implementation on all three of Apple’s operating systems. Apparently, a website can see the names of databases for any domain. Typically, a website should only see the names of databases of its own domain, so this is definitely a security issue. The names of the databases can be used to extract information from a lookup table.
With this information, your recent browsing history could surface. Additionally, because Google services store an IndexedDB instance for each of your logged-in accounts, your account name could also be revealed.
As far as what someone could do with this information, they could scrape your Google ID and then use that to find out other personal information about you.
If you want to see the bug in action, you can visit safarileaks.com in the Safari browser on Mac, iPad, or iPhone. If you try from a different browser on Mac, you’ll see a message stating that “Your browser is not affected. Please open this demo in Safari 15 on macOS or any browser on iOS and iPadOS 15.” If you’re on iPad or iPhone, it’ll work either way.
FingerprintJS first reported the bug to Apple on November 28, 2021, but the issue has yet to be resolved. Hopefully, the pressure of the problem being public will push Apple to get a fix out.