This machine I'm working on has been set up from scratch in January. I know very precisely what is installed right now and that I have never had Spotify or Skype installed.

When running this on Windows 10, with Firefox 88.0.1, this is my result:

I used the app and have Figma v 97.7 installed, but the site did not detect it. I opened figma and did a re-login and tested again with the app open, but still without success.

Tested on Windows 10

I am a developer from China, and when I try to translate the term "scheme flooding", there seems to be no easy-to-understand answer, so I would like to ask how do I understand the term "scheme flooding"?Looking forward to your reply, thanks!

Of all 23 applications it claims I have installed I have 0

.

This is your identifier. It was seen 986 times among 42201 tests so far. That means it is 97.66% unique. We have generated your identifier based on 23 applications you have installed.

Spoofing the user agent triggers all apps (installed and not installed) on Brave , and stops completely on Firefox.

Brave : UserAgent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0

Firefox : UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4433.0 Safari/537.36

I suspect it is because of getBrowserFamily(): https://github.com/fingerprintjs/external-protocol-flooding/blob/5a2be48e5b3d2aaa8a0e62d7e997506e6253443e/packages/client/src/detector/browser.ts#L1-L23

I get three different Fingerprints for Firefox, Chromium and Tor Browser (all three with supposedly vulnerable versions according to your README file). All three manage to miscalculate the apps that are installed. Firefox reports almost every app as installed (although I don't have all the reported ones) while the other two browsers report fewer apps installed than what's present on my pc. Running Archlinux with a few typical privacy-preserving Add-Ons on Firefox and an Adblocker on Chromium.

I can send you more exact information about my setup if you're interested, but I don't want to post that publicly.

I would be interested to see what part of my setup "breaks" the detection.

I just started recently with fingerprint js and during test run observed that it gives different visitorId for different browsers. Is this the expected result ?

there is some bug with the code below

    // detection.ts
    const isBrowserActive = document.hasFocus() || handler.document.hasFocus()
    if (!isBrowserActive) {
      throw AlertMessage.FocusWindow
    }

    // Make test
    if (document.hasFocus()) {
      document.body.insertBefore(input, document.getElementById('app'))
    } else {
      handler.document.body.appendChild(input)
    }

A windows pc with itunes 12.5 installed does not have it detected properly (sometimes detecting, usually not), it also shows skype and spotify as installed though that is only because they were recently uninstalled. Testing with a newer version installed (12.10) detects it properly.

When using firefox and adjusting the certain settings below in the config. This entire thing just fails to function.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste neww and wait for the list to finish filtering.

(3) Change the preferences as follows:

(A) browser.link.open_newwindow - for links in Firefox tabs. 3 = divert new window to a new tab (default) 2 = allow link to open a new window 1 = force new window into same tab <= Change to this one

(B) browser.link.open_newwindow.restriction - for links in Firefox tabs. 0 = apply the setting under (A) to ALL new windows (even script windows) <= Change to this one 2 = apply the setting under (A) to normal windows, but NOT to script windows with features (default) 1 = override the setting under (A) and always use new windows

(C) browser.link.open_newwindow.override.external - for links in other programs. -1 = apply the setting under (A) to external links (default) 3 = open external links in a new tab in the last active window <= Change to this one 2 = open external links in a new window 1 = open external links in the last active tab replacing the current page

(4) Then using this website (the one you have for testing this stuff). Try to "Get my Identifier" to see results.

Note: I don't know how to add a label to this, so what I want it to be is in the title.

Summary

Some applications, e.g. Steam, leave behind their Windows registry records when uninstalled. Therefore user can install an application, then delete it and still have protocol registration which is picked up by the demo. Since the demo produces results which appear as false positives (reporting that an application is installed when it ctually is not), users might dismiss the demo thinking it is inaccurate. It would be nice if you could add a note or a mark (e.g., asterisk) to programs prone to false positives.

Repro steps

1. Install Steam so that it registers protocol handler in HKEY_CLASSES_ROOT\steam.
2. Uninstall Steam and note that the registry record is still present.
3. Run demo and see Steam among "installed" applications.