Anti-Bot

What Is Math & JS Engine Fingerprinting?

By the Scrappey Research Team

What Is Math & JS Engine Fingerprinting? — conceptual illustration
On this page

Math fingerprinting identifies a browser by running math functions (sin, cos, tan, exp, log, pow) on fixed inputs and reading the very last bits of the answers. Those final bits depend on the CPU's floating-point unit (the chip's math hardware), the system math library (libm - the C code that computes these functions), and the JavaScript engine's own shortcuts. The results are the same every time on a given machine, so they make a stable, hard-to-fake signal - and they reveal the real engine even when the User-Agent (the browser's self-reported identity) lies about it.

Quick facts

ReadsLast bits of Math.acos, atanh, expm1, sinh, pow, etc.
Varies byCPU FPU, libm version, V8 vs SpiderMonkey vs JavaScriptCore
CostMicroseconds — runs on every page load
RevealsA "Safari" UA running on V8 (i.e. a faker)
RelatedWASM timing, hardware concurrency, device memory

Why the same formula gives different bits

The IEEE-754 standard (the rules for how computers store decimals) only promises exact results for basic operations: +, −, ×, ÷, and sqrt. Functions like Math.tan or Math.expm1 are left implementation-defined in their last bit or two - meaning each engine is free to round them slightly differently. Chrome's V8, Firefox's SpiderMonkey, and Safari's JavaScriptCore each ship their own math routines, and those routines may hand the work off to the platform's libm. The result: Math.tan(1e300) or Math.sinh(1) ends in hex digits that effectively name the engine + OS combination.

Because the answer is identical on every run of a given machine, it drops cleanly into a composite browser fingerprint with no random noise to filter out.

How it exposes spoofed browsers

This is the signal that catches lazy User-Agent spoofing. If a scraper claims a Safari UA but is actually running headless Chrome (Chrome with no visible window, usually on a server), the math probes return V8's values, not JavaScriptCore's. A lie detector compares the math signature against the engine you claim to be and flags the mismatch. The same trick exposes Chrome-on-Linux pretending to be Chrome-on-Windows when combined with other OS signals.

There is no JavaScript-level fix: you cannot reimplement libm to match a different platform without reimplementing the whole engine. Real consistency only comes from running the actual browser + OS you are claiming — which is why anti-detect stacks lock down the entire environment, not just the UA string.

Why you cannot spoof your way out

The differences exploited here come from the JavaScript engine and the CPU's floating-point unit — the last bits of Math.tan(-1e300) or Math.sinh() differ between V8 (Chrome), SpiderMonkey (Firefox) and JavaScriptCore (Safari), and again across hardware. You cannot fake these results convincingly from inside a content script (the JavaScript a site can run in the page) without re-implementing the math, and any wrapper you add is itself detectable. So the engine signature has to genuinely match the browser you claim to be.

That makes engine fingerprinting a coherence test more than a value test: a tool running the SpiderMonkey engine must present a Firefox identity, not a Chrome one, or the math bits and the User-Agent contradict each other. This is why Camoufox is built on Firefox and reports as Firefox — and why bolting a Chrome User-Agent onto a non-V8 runtime is caught instantly by a lie detector.

Related terms

Concept map

How Math & JS Engine Fingerprinting connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Frequently asked questions

Is math fingerprinting high-entropy on its own?

No — on its own it mostly identifies the engine + OS family, not a specific device (low entropy: it narrows down what kind of machine you are, not which one). Its real value is consistency and serving as a lie-detector cross-check, not standalone uniqueness.

Can I randomise the math results?

Patching the Math functions in JavaScript is detectable - the patched function fails the native-code toString check that reveals it is no longer the browser's built-in version - and randomising breaks the stable-per-machine behavior detectors expect. It does more harm than good.

Does WebAssembly have the same issue?

WebAssembly (WASM - a low-level binary format browsers run for speed) specifies math more strictly, but its SIMD timing and rounding still leak engine details, which is why anti-bots increasingly pair Math probes with WASM ones.

Last updated: 2026-05-31