# The WASM Cloak: Evaluating Browser Fingerprinting Defenses Under WebAssembly based Obfuscation

**Authors:** A H M Nazmus Sakib, Mahsin Bin Akram, Joseph Spracklen, Sahan Kalutarage, Raveen Wijewickrama, Igor Bilogrevic, Murtuza Jadliwala

arXiv: 2508.21219 · 2025-09-01

## TL;DR

This paper evaluates how WebAssembly obfuscation affects browser fingerprinting defenses, revealing that research-based detectors are somewhat vulnerable while practical defenses remain effective, highlighting gaps and future challenges.

## Contribution

It systematically assesses the impact of WASM obfuscation on fingerprinting defenses, bridging the gap between academic and practical detection methods.

## Key findings

- Research-based detectors show moderate vulnerability to WASM obfuscation.
- In-browser and native defenses remain fully effective against WASM-based fingerprinting.
- WASM obfuscation exposes gaps in existing academic fingerprinting detection strategies.

## Abstract

Browser fingerprinting defenses have historically focused on detecting JavaScript(JS)-based tracking techniques. However, the widespread adoption of WebAssembly (WASM) introduces a potential blind spot, as adversaries can convert JS to WASM's low-level binary format to obfuscate malicious logic. This paper presents the first systematic evaluation of how such WASM-based obfuscation impacts the robustness of modern fingerprinting defenses. We develop an automated pipeline that translates real-world JS fingerprinting scripts into functional WASM-obfuscated variants and test them against two classes of defenses: state-of-the-art detectors in research literature and commercial, in-browser tools. Our findings reveal a notable divergence: detectors proposed in the research literature that rely on feature-based analysis of source code show moderate vulnerability, stemming from outdated datasets or a lack of WASM compatibility. In contrast, defenses such as browser extensions and native browser features remained completely effective, as their API-level interception is agnostic to the script's underlying implementation. These results highlight a gap between academic and practical defense strategies and offer insights into strengthening detection approaches against WASM-based obfuscation, while also revealing opportunities for more evasive techniques in future attacks.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2508.21219/full.md

## Figures

8 figures with captions in the complete paper: https://tomesphere.com/paper/2508.21219/full.md

## References

64 references — full list in the complete paper: https://tomesphere.com/paper/2508.21219/full.md

---
Source: https://tomesphere.com/paper/2508.21219