Tor Browser: Font probing vulnerability using dynamically generated iframes
Tor browser limits the total number of fonts that can be used in a document. By default, a document can use 10 fonts. So if a fingerprinter tries to probe for more than 10 fonts, he only gets reported that these fonts are missing. However, this design has a flaw, as it didn't consider that iframes also have their own document body. Therefore, in order to circumvent this limitation, a fingerprinting script might dynamically generate an iframe for each package of 10 fonts, probe for their existence, until all fonts have been probed for.
**Note: **The maximum number of possible fonts can be changed by the user. The fingerprinting script could easily probe for this threshold, as I found out that an already loaded font can't be loaded again, once this limit is reached.