Mozilla will remove Firefox's Battery Status API as it can identify between individual devices. The Battery Status API was officially introduced by the web standards organisation The World Wide Web Consortium(W3C) this year and allows websites to check the charge status of a device.
An unstandardised feature was already integrated in Firefox since 2012 and W3C initially classified the privacy issues with the feature as uncritical. While browsers usually ask before a site can request the user's location through the Location API, access to the Battery Status API is given without any user interaction. The idea behind the Battery Status API is to check whether a device is sufficient charged to display e.g. power demanding high resolution video. In case the API detects the device isn't sufficiently charged, the website would show a lower resolution video.
But because the Battery Status API indicates the charge state of the device with a precision of up to six decimals, exact data on the required charge time of a notebook, tablet or smartphone is revealed to the browser. Security researchers found that with a few queries they could determine the battery capacity and thus identify individual devices.
The method has already been abused in the wild. Researchers from the Princeton University found two scripts that identified users using the Battery Status API provided battery values, even if the users deleted cookies. The browser fingerprinting could then be used to assign a new cookie to the user that could permanently identify it on other websites.
Interestingly, the researchers found no website that legitimately used the Battery Status API.
Besides Firefox, also Chrome and Chromium based browsers support the Battery Status API.
Users on Firefox who want to prevent browser fingerprinting using the Battery Status API before Mozilla removes the feature (which will be in Firefox 52) should open about:config and deactivate "dom.battery.enabled".
Check here how your browser responds to the Battery Status API.
