Researchers have uncovered a browser-based technique that lets websites infer what other tabs a user has open and which applications run on their device. All it takes is some JavaScript and access to a storage feature meant to help web apps feel more native. The method, called FROST, stands for fingerprinting remotely using OPFS-based SSD timing. It turns subtle timing differences in how a solid-state drive responds to read requests into a reliable signal about user behavior. Ars Technica first reported the findings on May 27, 2026. The underlying research paper appeared just days earlier. But FROST is no ordinary tracker. It doesn’t rely on cookies, canvas data, or battery levels. Instead it watches the drive itself. Short. Direct. And surprisingly effective. Lead author Hannes Weissteiner and his colleagues at Graz University of Technology showed the attack works without any code running outside the browser sandbox. No native execution. No user permission beyond visiting the page.…