Why the same formula gives different bits
The IEEE-754 standard (the rules for how computers store decimals) only promises exact results for basic operations: +, −, ×, ÷, and sqrt. Functions like Math.tan or Math.expm1 are left implementation-defined in their last bit or two - meaning each engine is free to round them slightly differently. Chrome's V8, Firefox's SpiderMonkey, and Safari's JavaScriptCore each ship their own math routines, and those routines may hand the work off to the platform's libm. The result: Math.tan(1e300) or Math.sinh(1) ends in hex digits that effectively name the engine + OS combination.
Because the answer is identical on every run of a given machine, it drops cleanly into a composite browser fingerprint with no random noise to filter out.
How it exposes spoofed browsers
This is the signal that catches lazy User-Agent spoofing. If a scraper claims a Safari UA but is actually running headless Chrome (Chrome with no visible window, usually on a server), the math probes return V8's values, not JavaScriptCore's. A lie detector compares the math signature against the engine you claim to be and flags the mismatch. The same trick exposes Chrome-on-Linux pretending to be Chrome-on-Windows when combined with other OS signals.
There is no JavaScript-level fix: you cannot reimplement libm to match a different platform without reimplementing the whole engine. Real consistency only comes from running the actual browser + OS you are claiming — which is why anti-detect stacks lock down the entire environment, not just the UA string.
Why you cannot spoof your way out
The differences exploited here come from the JavaScript engine and the CPU's floating-point unit — the last bits of Math.tan(-1e300) or Math.sinh() differ between V8 (Chrome), SpiderMonkey (Firefox) and JavaScriptCore (Safari), and again across hardware. You cannot fake these results convincingly from inside a content script (the JavaScript a site can run in the page) without re-implementing the math, and any wrapper you add is itself detectable. So the engine signature has to genuinely match the browser you claim to be.
That makes engine fingerprinting a coherence test more than a value test: a tool running the SpiderMonkey engine must present a Firefox identity, not a Chrome one, or the math bits and the User-Agent contradict each other. This is why Camoufox is built on Firefox and reports as Firefox — and why bolting a Chrome User-Agent onto a non-V8 runtime is caught instantly by a lie detector.
