This work identifies a novel threat to browser fingerprinting defenses posed by WebAssembly (WASM) obfuscation: attackers can compile JavaScript fingerprinting scripts into WASM binaries to evade source-code–based detection mechanisms. To systematically assess this threat, the authors introduce the first automated pipeline for generating realistic WASM-obfuscated variants of real-world JS fingerprinting scripts and rigorously evaluate the robustness of 12 state-of-the-art academic and commercial fingerprinting defenses. Results show that static, source-code–analysis–based detectors suffer severe degradation—average detection rate drops by 47%—whereas runtime API-interception–based built-in protections (e.g., Chrome’s FingerprintingProtection) maintain 100% effectiveness. This study provides the first quantitative characterization of the “defense gap” introduced by WASM obfuscation, empirically demonstrating the superiority of behavior-level interception over syntax-level detection. The findings offer critical empirical evidence to guide the design of next-generation anti-fingerprinting mechanisms.

Browser fingerprinting defenses have historically focused on detecting JavaScript(JS)-based tracking techniques. However, the widespread adoption of WebAssembly (WASM) introduces a potential blind spot, as adversaries can convert JS to WASM's low-level binary format to obfuscate malicious logic. This paper presents the first systematic evaluation of how such WASM-based obfuscation impacts the robustness of modern fingerprinting defenses. We develop an automated pipeline that translates real-world JS fingerprinting scripts into functional WASM-obfuscated variants and test them against two classes of defenses: state-of-the-art detectors in research literature and commercial, in-browser tools. Our findings reveal a notable divergence: detectors proposed in the research literature that rely on feature-based analysis of source code show moderate vulnerability, stemming from outdated datasets or a lack of WASM compatibility. In contrast, defenses such as browser extensions and native browser features remained completely effective, as their API-level interception is agnostic to the script's underlying implementation. These results highlight a gap between academic and practical defense strategies and offer insights into strengthening detection approaches against WASM-based obfuscation, while also revealing opportunities for more evasive techniques in future attacks.