In-depth Analysis of Memory Information Fingerprinting and Protection
1. What is Memory Information Fingerprint
In the digital world, every device has its unique “identity”. Beyond common identifiers like IP addresses, cookies, and device models, browser fingerprinting technology is becoming increasingly sophisticated. Memory information fingerprint is a sub-dimension of browser fingerprinting that is often overlooked yet highly unique for identification. It does not refer to the absolute size of physical memory, but rather a set of feature vectors obtained by accessing parameters under the window object via JavaScript, such as navigator.deviceMemory (hardware concurrency), navigator.hardwareConcurrency (CPU cores), and jsHeapSizeLimit, totalJSHeapSize, usedJSHeapSize obtained via performance.memory (a Chrome private API).
These parameters reflect the memory limits available to the browser process, the current state of the JavaScript heap, and can even produce subtle differences between different browser instances. Attackers or tracking services can use combinations of these data points to significantly improve user identification accuracy. According to public research on GitHub, the combination of just three properties of performance.memory can generate an additional entropy of approximately 0.78 bits in a typical fingerprint database, equivalent to increasing the discriminative power by nearly 70% over the original fingerprint.
2. How Memory Information Fingerprint Works
Browsers do not directly expose the physical memory size, but it can be indirectly inferred through the following interfaces:
navigator.deviceMemory: Returns an approximate value of the device memory (e.g., 0.25, 0.5, 1, 2, 4, 8), in GB. This value has a significant impact on user privacy; some browsers (e.g., Firefox) have disabled this interface by default.navigator.hardwareConcurrency: Returns the number of logical CPU cores, often related to memory allocation strategies.performance.memory: Chrome-specific, includesjsHeapSizeLimit(JavaScript heap size limit),totalJSHeapSize(allocated heap size), andusedJSHeapSize(currently used heap size). Note that this property may be blocked in non-secure contexts or incognito mode.
These data points are dynamic over time. Even when the same browser opens multiple tabs, the usedJSHeapSize of different tabs will have subtle differences, providing a “soft” dimension for fingerprinting—the state captured at a specific point in time. Tracking services often average multiple samples or combine them with other fingerprints (such as Canvas, AudioContext, WebGL) to generate a unique identifier.
3. Threats of Memory Fingerprint in Security Scenarios
For users engaged in cross-border e-commerce, social media operations, or affiliate marketing, memory information fingerprint is an “invisible killer” for account association. For example, if a seller operates 10 Amazon accounts simultaneously, and the browser instances of these accounts all run on the same physical machine, even after clearing cookies or changing proxy IPs, the memory fingerprint data may still expose the correlation between them.
Specific scenarios include:
- Multi-account detection: The platform server periodically sends JavaScript code to collect memory fingerprints. If multiple accounts on the same device show the same
deviceMemory,hardwareConcurrency, and highly similarperformance.memorysnapshots, even with different IPs, the backend system may classify them as the same user’s operations. - Web scraping and anti-scraping: Anti-scraping systems can distinguish between real user browsers and automated scripts (e.g., Puppeteer, Selenium) by analyzing the periodic patterns of memory usage curves. Automated tools often have overly regular memory allocation patterns or abnormal values (e.g.,
jsHeapSizeLimitfar higher than normal browser limits). - Privacy leakage: Some malicious websites use memory fingerprints combined with other information (such as Canvas fingerprints) to generate persistent tracking tokens. Even if users clear their browser data daily, as long as the hardware environment remains unchanged, the token will persist.
4. How to Detect Your Own Memory Fingerprint
You can view your current memory fingerprint data in the browser console using the following simple JavaScript code:
console.log('deviceMemory:', navigator.deviceMemory);
console.log('hardwareConcurrency:', navigator.hardwareConcurrency);
if (performance.memory) {
console.log('jsHeapSizeLimit:', performance.memory.jsHeapSizeLimit);
console.log('totalJSHeapSize:', performance.memory.totalJSHeapSize);
console.log('usedJSHeapSize:', performance.memory.usedJSHeapSize);
}
Note: Different browsers have varying support for these APIs. For example, Safari does not provide deviceMemory or performance.memory, while Chrome and Edge (Chromium-based) expose them fully. This means that the risk of memory fingerprint collection is highest in mainstream Chromium-based browsers.
5. Protection and Countermeasures
5.1 Common Protection Measures
- Disable JavaScript: Completely blocks fingerprint collection, but causes most modern websites to fail to render properly.
- Use privacy extensions: Such as uBlock Origin or CanvasBlocker, but these tools typically cannot fully simulate or randomize the return value of
performance.memorybecause the property is read-only and depends on the browser’s internal state. - Use incognito mode: Only prevents local cache sharing; it cannot change the physical correlation of memory fingerprints (since the hardware remains unchanged).
5.2 Professional Solution – Fingerprint Browser
For multi-account operators, manually adjusting these fine-grained parameters is nearly impossible. A common practice is to use a fingerprint browser, which can forge or randomize hundreds of fingerprint dimensions (including memory information) at the browser kernel level. For example, NestBrowser can provide fully isolated virtual hardware parameters for each independent browser environment (Profile), including deviceMemory, hardwareConcurrency, and all sub-items of performance.memory. By simulating the real memory distribution of different devices, multiple accounts on the same physical machine appear to the server as coming from devices with different memory configurations, effectively cutting off association clues.
5.3 Practical Test Results and Data
According to feedback from an e-commerce seller, after using NestBrowser to run 5 accounts across different platforms, comparison using fingerprint detection tools (e.g., amiunique.org) showed: the fingerprint entropy of each environment increased from the original 16 bits to 22 bits, and there were no common features between environments. This indicates that the randomization of memory fingerprints is effective, while it does not affect graphics performance such as WebGL or Canvas, because the hardware simulation is based on lightweight modifications driven by the real GPU, rather than full software rendering.
6. Future Trends of Memory Fingerprint and Anti-Fingerprint Technology
As browser vendors focus on privacy, some APIs are being deprecated. For example, Chrome 133+ versions began to hint that performance.memory would be removed, but it has not yet been officially deleted. Meanwhile, navigator.deviceMemory still has strong support for retention within the Chromium community due to its convenience for ad tracking. The anti-fingerprint field will continue the “cat-and-mouse game”: trackers will seek new alternative APIs (e.g., indirectly inferring CPU performance through Canvas rendering time, or measuring memory access latency via WebAssembly), while anti-tracking technologies will require deeper and more thorough fingerprint camouflage.
For users who need long-term stable operation of multiple accounts, choosing a fingerprint browser that continuously updates is crucial. NestBrowser updates its fingerprint library every quarter according to the latest browser versions, ensuring coverage of new fingerprint collection points, and supports custom fingerprint configurations. Users can even manually fine-tune the random range of memory parameters to adapt to specific platform anti-scraping algorithms.
7. Conclusion
Memory information fingerprint, though small, can serve as evidence for account association. From principles to detection, from passive defense to active forgery, this article reveals the full picture of this invisible dimension. For ordinary users, understanding and being wary of memory fingerprint tracking is sufficient; for professional operators, it is necessary to use specialized tools to completely block risks. It is recommended to use the batch creation feature of NestBrowser when setting up new environments to generate memory fingerprint combinations that conform to real-world distributions, thereby cutting off association chains at the root.
Action suggestion: Immediately open about:blank in your current browser and run the detection code above, write down your memory fingerprint value. Then switch to a new fingerprint browser environment, test again, and feel the security improvement brought by the fingerprint change. If you manage more than 5 accounts, this difference may be the “safety pill” for your account security.