Can You Be Tracked Through JavaScript?

JavaScript is one of the most powerful technologies on the web — responsible for interactivity, analytics, UI rendering, and more.
But its power also makes it a tool for tracking users, intentionally or unintentionally.

So can you be tracked through JavaScript?
Yes — and in more ways than most people realize.

This article breaks down how JavaScript tracking works, what techniques are used, what data can be collected, and how you can mitigate the risks.
Technical examples included.

Why JavaScript Enables Tracking

JavaScript runs directly in the user's browser with permission to access:

  • Device information
  • Browser features
  • Network details
  • Interaction patterns
  • Storage (cookies, localStorage, IndexedDB)
  • Hardware hints (GPUs, audio stack, sensors)

Even without cookies, JavaScript can build a unique fingerprint of your device.

JavaScript Tracking Techniques

Below are the most widely used methods — from benign analytics to invasive fingerprinting.

1. Cookies (Traditional Tracking)

Cookies let websites store small bits of information about you — sessions, analytics IDs, preferences, etc.

JavaScript can read and write cookies:

// Write a cookie
document.cookie = "userID=12345; path=/; max-age=86400";
 
// Read cookies
console.log(document.cookie);

Cookies are shared with servers on every request, enabling tracking across sessions.

Limitations

  • Can be cleared
  • Can be blocked
  • Expire
  • Regulated by GDPR/CCPA

2. LocalStorage & SessionStorage (Supercookies)

These are not sent to the server automatically, but they persist indefinitely unless manually cleared.

// Save tracking identifier
localStorage.setItem("uid", crypto.randomUUID());
 
// Read it later
const uid = localStorage.getItem("uid");

Why they're effective:

  • Never expire
  • Survive browser restarts
  • Not affected by same cookie policies
  • Hard for users to notice

3 IndexedDB (Persistent Unique IDs)

IndexedDB is even harder to detect and is sometimes abused for “evercookie” persistence.

const req = indexedDB.open("trackerDB", 1);
req.onsuccess = () => {
  let db = req.result;
  // store a unique ID
  let tx = db.transaction("store", "readwrite");
  tx.objectStore("store").put({ id: "trackingID", value: 999 });
};

Because clearing IndexedDB is uncommon, it becomes a stealth storage mechanism.

4 Canvas Fingerprinting

One of the most effective JavaScript tracking techniques.

How it works

JavaScript draws hidden text or shapes on an HTML <canvas>, then extracts the rendering output.

Rendering differences between:

  • OS
  • GPU
  • Drivers
  • Browser version
  • Anti-aliasing implementation

…produce a unique hash.

Example:

function getCanvasFingerprint() {
  const canvas = document.createElement('canvas');
  const ctx = canvas.getContext('2d');
 
  ctx.textBaseline = "top";
  ctx.font = "16px Arial";
  ctx.fillText("BrowserFingerprintTest", 2, 2);
 
  return canvas.toDataURL();
}
 
console.log(getCanvasFingerprint());

This output is hashed and used as a fingerprint.

5 Audio Fingerprinting

Based on how your audio stack processes frequencies.

let context = new OfflineAudioContext(1, 44100, 44100);
let osc = context.createOscillator();
osc.type = "triangle";
osc.frequency.value = 10000;
osc.connect(context.destination);
 
osc.start(0);
context.startRendering().then(buffer => {
  console.log(buffer.getChannelData(0).slice(0, 10));
});

Each device generates different floating-point patterns.

6 Browser & Device Fingerprinting

JavaScript can gather dozens of attributes including:

  • User agent
  • Screen resolution
  • Timezone
  • Installed fonts
  • GPU info
  • WebGL rendering details
  • Input methods
  • Language settings
  • Touchscreen availability

Example snippet:

const fingerprint = {
  ua: navigator.userAgent,
  lang: navigator.language,
  rez: `${screen.width}x${screen.height}`,
  tz: Intl.DateTimeFormat().resolvedOptions().timeZone,
  cores: navigator.hardwareConcurrency,
  gpu: (gl => gl.getParameter(gl.RENDERER))(document.createElement('canvas').getContext('webgl'))
};
 
console.log(fingerprint);

Combined, these form a highly unique profile.

7 Network-Based Tracking

IP Address

JavaScript cannot directly read your IP address, but it can query a STUN server via WebRTC — without permission.

WebRTC Leak Example:

let pc = new RTCPeerConnection({ iceServers: [] });
 
pc.createDataChannel("");
pc.createOffer().then(offer => pc.setLocalDescription(offer));
 
pc.onicecandidate = event => {
  if (event && event.candidate) {
    console.log(event.candidate.candidate); // contains your local IP
  }
};

Even with a VPN, WebRTC can reveal local network info unless blocked.

JavaScript Tracking in the Real World

These techniques are used by:

  • Advertising networks
  • Analytics platforms
  • Anti-fraud systems
  • Bot detection solutions
  • Social media platforms
  • Government surveillance (reported in cases)
  • Cross-site trackers embedded in iframes/scripts

Even with cookies blocked, JavaScript fingerprinting still works.

This is why GDPR and major browsers are cracking down on cross-site JS tracking methods.

How to Protect Yourself From JavaScript Tracking

Below are the most effective mitigation strategies.

1 Disable JavaScript (Not Practical)

Tools like NoScript, uMatrix, or LibreWolf can block JavaScript entirely — but most websites break.

2 Use Browsers with Anti-Fingerprinting

  • Firefox (Enhanced Tracking Protection)
  • Safari (Intelligent Tracking Prevention)
  • Brave (built-in fingerprint randomization)
  • Tor Browser (strongest option — makes all users look identical)

3 Block 3rd-Party Scripts

Use tools like:

  • uBlock Origin
  • Privacy Badger
  • Ghostery

These prevent invisible trackers from loading.

4 Disable WebRTC

To prevent IP leaks:

  • In Firefox: about:config → media.peerconnection.enabled = false
  • In Chrome-based: use extensions ("WebRTC Network Limiter")

5 Clear Storage Regularly

Clear:

  • Cookies
  • LocalStorage
  • SessionStorage
  • IndexedDB
  • Cache

Brave, Firefox, and Safari support “clear on exit”.

6 Use a VPN + Privacy Extensions

A VPN alone does not stop JS tracking — but when combined with anti-fingerprinting, privacy improves significantly.

Can JavaScript Track You Across Websites?

Yes — primarily through:

  1. Third-party scripts embedded everywhere
  2. Canvas/audio fingerprinting
  3. Cross-site cookies
  4. CNAME cloaking
  5. Pixel beacons + JS sync

If two sites embed the same tracker (e.g., Google, Meta, TikTok), they can correlate your activity even without cookies.

Key Takeaways

  • Yes, JavaScript can track you in powerful and invisible ways.
  • Cookies are only the beginning — fingerprinting is far more advanced.
  • JavaScript can collect dozens of device/browser attributes for identification.
  • Protection requires a combination of browser features, privacy tools, and good habits.
  • Tor Browser or Brave give the strongest practical protection.

Can you be tracked through JavaScript? Absolutely. JavaScript enables cookies, fingerprinting, WebRTC leaks, localStorage tracking, and cross-site profiling. Modern trackers collect device info, GPU details, audio graph signatures, browser configurations, and network metadata — often without user awareness. Learn the technical methods and practical prevention strategies here.

Related Cybersecurity Guides and Tutorials: