Not too exciting of an issue, unfortunately. It only really works if you have one application or website open in addition to the malicious page. They don't mention it explicitly (though maybe I missed it), but it seems like you'd have a very hard time fingerprinting individual pages, only websites. It also seems like you have to open the application or webpage while the malicious page is measuring—it can't get a meaningful trace from a page that's idling.
The other thing that stands out to me is that I would expect the browser to throttle the malicious page when it's inactive. Background tabs don't stay fully active, so you'd be hard pressed to abuse this in realistic circumstances, I think.
The research paper:
https://hannesweissteiner.com/pdfs/frost.pdf
Not too exciting of an issue, unfortunately. It only really works if you have one application or website open in addition to the malicious page. They don't mention it explicitly (though maybe I missed it), but it seems like you'd have a very hard time fingerprinting individual pages, only websites. It also seems like you have to open the application or webpage while the malicious page is measuring—it can't get a meaningful trace from a page that's idling.
The other thing that stands out to me is that I would expect the browser to throttle the malicious page when it's inactive. Background tabs don't stay fully active, so you'd be hard pressed to abuse this in realistic circumstances, I think.
Good, now I have an excuse for keeping 50 tabs open all the time!