Google has recently patched a longstanding vulnerability that could allow advertisers and third-party scripts to infer users’ browsing histories by exploiting the way browsers display visited links. Traditionally, browsers change the color of visited hyperlinks using the CSS “:visited” pseudo-class, signaling to users which links they have already clicked. However, malicious actors could embed specific links on a webpage and detect color changes to determine if a user had previously visited those URLs, using this information to target ads.

This issue has been known for over 20 years, and while browsers introduced mitigations to slow such attacks, they never fully eliminated the risk. A Google engineer explained that this vulnerability has long been a persistent security concern. Feedback on the problem had been logged multiple times in Chromium’s issue tracker but was initially dismissed as “Won’t Fix.” Only recently has Google committed to solving it.

The solution comes with Chrome Beta version 136 and will be included in the stable release of Chrome 136 on April 23. Instead of checking a global browsing history to style visited links, Chrome now uses a partitioning model. This method stores visited link data alongside contextual information, such as the link’s URL, the top-level site, and the iframe origin. By doing this, “:visited” styling only applies within the same context where the user first accessed the link.

As a result, websites can no longer detect if a user has visited URLs outside of their own domain, effectively shutting down a method that trackers could previously exploit to access users' browsing activity. Chrome will become the first browser to fully close this historic security loophole.