Why the same formula gives different bits
IEEE-754 only guarantees the precision of basic operations (+, −, ×, ÷, sqrt). Transcendental functions like Math.tan or Math.expm1 are implementation-defined in their last bit or two. Chrome’s V8, Firefox’s SpiderMonkey, and Safari’s JavaScriptCore each ship different math routines, and those routines may further defer to the platform libm. The upshot: Math.tan(1e300) or Math.sinh(1) returns a value whose final hex digits identify the engine + OS combination.
Because the result is identical every run on a given machine, it slots neatly into a composite browser fingerprint with zero variance noise.
How it exposes spoofed browsers
This is the signal that punishes lazy User-Agent spoofing. If a scraper sets a Safari UA but runs headless Chrome, the math battery returns V8’s values, not JavaScriptCore’s. A lie detector compares the math signature against the claimed engine and flags the mismatch. The same trick catches Chrome-on-Linux pretending to be Chrome-on-Windows when paired with other OS signals.
There is no JavaScript-level fix: you cannot reimplement libm to match a different platform without reimplementing the engine. Real coherence comes from running the actual browser+OS you are claiming — which is why anti-detect stacks pin the whole environment, not just the UA string.
Why you cannot spoof your way out
The differences exploited here come from the JavaScript engine and the CPU's floating-point unit — the last bits of Math.tan(-1e300) or Math.sinh() differ between V8 (Chrome), SpiderMonkey (Firefox) and JavaScriptCore (Safari), and again across hardware. You cannot patch these results convincingly from inside a content script without re-implementing the math, and any wrapper you add is itself detectable. The result is that the engine signature has to genuinely match the browser you claim to be.
That makes engine fingerprinting a coherence test more than a value test: a tool that runs the SpiderMonkey engine must present a Firefox identity, not a Chrome one, or the math bits and the User-Agent disagree. This is why Camoufox is built on Firefox and reports as Firefox — and why bolting a Chrome User-Agent onto a non-V8 runtime is caught instantly by a lie detector.