On July 12, 2026, engineers at the anti-scraping company Scrapfly published a technical blog post revealing an unsettling finding: starting with Chrome 148, an apparently harmless math function, Math.tanh(), returns slightly different results on different operating systems. In other words, any website that gets you to run a single line of math can tell whether you’re on Windows, macOS, or Linux.
▲ Image source: Scrapfly blog post screenshot
The finding hit the Hacker News front page the same day, with 207 upvotes and 90 comments. The developer community’s reaction was best described as “surprised” — everyone was used to browser fingerprinting via Canvas rendering, WebGL, audio processing — the “heavy weapons” of tracking — and never expected an ordinary hyperbolic tangent function to become an OS identifier.
One math problem, three different answers
Let’s make it concrete. In the Chrome 150 console, type Math.tanh(0.8) — computing the hyperbolic tangent of 0.8 — and three real machines on three OSes returned three different results:
| OS | Return value of Math.tanh(0.8) |
|---|---|
| Linux (glibc) | 0.6640367702678491 |
| macOS (libsystem_m) | 0.664036770267849 |
| Windows (UCRT) | 0.6640367702678489 |
Look at the last few digits. Linux has one more digit than macOS and the largest value; macOS has one fewer than Windows and sits in the middle; Windows’s value is slightly smaller. The differences are only in the last one or two digits — invisible to the naked eye, but for a computer they’re enough to form a clear OS signature.
Interestingly, not every input produces a difference. Scrapfly’s test data shows roughly three-quarters of inputs return identical results across all three systems. For example Math.tanh(0.5) returns 0.46211715726000974 on Linux, macOS, and Windows alike. tanh(0.7) differs only in Linux’s value; tanh(0.9) has only Windows standing apart. tanh(0.8) happens to be the “sweet spot” that distinguishes all three.
▲ Image source: Scrapfly blog comparison-table screenshot
This means a tracker doesn’t need to do anything elaborate. Run Math.tanh() a few times on a page, pick a few key input values, compare the results, and infer the visitor’s OS. If a visitor’s User-Agent claims macOS but the tanh result is a typical Linux value — that visitor is probably spoofing their identity.
Whose fault is it? Bug, or a mathematical fate?
A reader might ask: is this a Chrome bug?
The answer is subtle. It’s not exactly a bug, but it’s an unintended side effect of a “fix.”
Before Chrome 148, the V8 engine (Chrome’s JavaScript execution core) implemented Math.tanh using its own bundled math library, called fdlibm. Because the same code ran on every platform, Math.tanh returned identical results whether you used Chrome on Windows, macOS, or Linux — naturally leaking no OS information.
But at the end of 2025, the V8 team submitted a code change (commit c1486295ae5) that swapped the Math.tanh implementation from its bundled fdlibm to the C++ standard library’s std::tanh. The motivation was reasonable: shrink V8’s own code size, leverage the OS’s already highly optimized math libraries, and theoretically improve performance. The change shipped with V8 14.8.57, corresponding to Chrome 148.
The problem: the underlying math libraries on different OSes (Linux’s glibc, macOS’s libsystem_m, Windows’s UCRT) implement the hyperbolic tangent differently.
This is a fundamental constraint in mathematics. The IEEE 754 standard specifies the storage format for floating-point numbers and the precision requirements for basic operations (addition, subtraction, multiplication, division, square root) — but for “transcendental functions” like trigonometric, exponential, and hyperbolic functions, the standard does not mandate “correct rounding” — guaranteeing a result accurate to the last binary bit. The reason is practical: correctly-rounded computation is enormously expensive and would badly hurt performance. So each OS’s math library has its own approximation algorithm, coefficient tables, and constants, aiming to keep error within one “unit in the last place” (ULP) while preserving speed.
So the tiny cross-OS differences in Math.tanh after Chrome 148 are essentially a manifestation of mathematical approximation diversity. It’s not a bug you can simply “fix” — it’s a trade-off that’s existed in floating-point computation for decades: speed vs. precision. It’s just that when this trade-off is exposed at the browser’s user-interface layer, it unexpectedly becomes a privacy-leak channel.
Not just tanh — a leak surface spanning the whole browser
More alarming still, Math.tanh is only the tip of the iceberg.
Scrapfly’s blog points out that any browser API computed via the host OS’s math library (libm) theoretically carries the same leak risk. This includes CSS trigonometric functions (sin(), cos(), tan(), etc.) and the Web Audio API’s dynamic compressor. All of these rely on the underlying OS math library for floating-point computation.
In other words, even if the Chrome team fixes Math.tanh, as long as any browser API calls the host OS’s math functions without unifying them, the fingerprinting window remains open.
This is a classic “whack-a-mole” arms race. Browser developers work to seal every crack that might leak a user’s identity, while trackers and anti-scraping systems keep hunting for new signals. The history of fingerprinting is a history of both sides discovering new battlefields: from Canvas to WebGL, from font lists to audio waveforms, to today’s math-function result differences. Every time developers plug a hole, trackers find the next metric that seemed utterly impossible to weaponize.
The polarized HN reaction
The HN discussion split into two sharply different perspectives.
Some developers argued the finding’s real-world impact on ordinary users is limited. User “Aurornis” pointed out that most users don’t spoof their User-Agent, so identifying the OS via tanh adds no extra information — the User-Agent already tells the site which OS you’re on. He thought the vulnerability matters more for fingerprinting browser-version ranges, but even then it’s only a small piece of a much larger puzzle.
Others saw it completely differently. User “jeroenhd” noted that the finding matters to anti-scraping companies like Scrapfly precisely because they need to make scraper programs impersonate real browsers. A scraper running in a Linux VM that claims to be Chrome on macOS — but whose tanh return value betrays its true OS — can be trivially flagged as a bot by the anti-scraping system.
I lean toward thinking both sides have a point. For ordinary, honest browser users, the Math.tanh leak is redundant — your User-Agent is already volunteering your OS. But for users trying to hide their identity (whether for privacy or for data scraping), this newly discovered signal means: you must spoof not just the User-Agent, but the math-function return values too.
This raises a deeper question: in an internet architecture, how much of what we assume is “neutral” and “standardized” infrastructure is silently transmitting unique signals about our devices? A math function, a line of CSS, a snippet of audio processing — they shouldn’t be identity clues, yet the diversity of underlying implementations turns them into de facto tracking markers.
What happens next?
For now, this leak channel affects Chrome 148, 149, and 150. The Chrome team has not publicly responded. Scrapfly says closing the channel entirely would require the browser to use a unified math library at every layer (V8, Blink, Web Audio), or at least “flatten” the output. But that could carry a performance cost and poses real compatibility and maintenance challenges.
To ordinary users, I’d say: no need to panic. This finding is more an interesting but non-urgent new signal in privacy research — not a serious security hole that gets your account stolen. It’s worth watching because it represents a trend: users’ digital footprints are becoming harder and harder to fully hide.
The real significance of this story may be the broader observation it reveals: in the complex dependency chains of software systems, any seemingly trivial low-level choice can produce unexpected privacy consequences upstream. A Chrome team code cleanup, meant to reduce redundancy and boost performance, accidentally opened a new window onto OS identification. In that sense, the Math.tanh story is a classic case of “intent vs. side effect.”
Reference links:
- Scrapfly: Browser Math OS Fingerprint
- HN discussion (item?id=48884853)