This paper addresses two key challenges in web client fingerprinting: low cross-session device identification accuracy and vulnerability to User-Agent spoofing. To tackle these issues, we propose a novel fine-grained device fingerprinting method based on WebAssembly (Wasm), the first to leverage the Wasm JavaScript API for capturing behavioral disparities—including CPU, memory, and I/O characteristics—as well as low-level execution timing patterns. The resulting browser-device joint fingerprint is cross-platform and robust against spoofing. We validate our approach across x86/ARM architectures and diverse operating systems—including Windows, macOS, Android, iOS, and virtualized environments—achieving a false positive rate below 1% and significantly improving discriminability among Chromium-based browsers (e.g., Chrome and Edge). Furthermore, we design an integrated privacy-preserving mitigation mechanism compatible with standard browsers, enhancing both robustness and generalizability while safeguarding user privacy.

Web client fingerprinting has become a widely used technique for uniquely identifying users, browsers, operating systems, and devices with high accuracy. While it is beneficial for applications such as fraud detection and personalized experiences, it also raises privacy concerns by enabling persistent tracking and detailed user profiling. This paper introduces an advanced fingerprinting method using WebAssembly (Wasm) - a low-level programming language that offers near-native execution speed in modern web browsers. With broad support across major browsers and growing adoption, WebAssembly provides a strong foundation for developing more effective fingerprinting methods. In this work, we present a new approach that leverages WebAssembly's computational capabilities to identify returning devices-such as smartphones, tablets, laptops, and desktops across different browsing sessions. Our method uses subtle differences in the WebAssembly JavaScript API implementation to distinguish between Chromium-based browsers like Google Chrome and Microsoft Edge, even when identifiers such as the User-Agent are completely spoofed, achieving a false-positive rate of less than 1%. The fingerprint is generated using a combination of CPU-bound operations, memory tasks, and I/O activities to capture unique browser behaviors. We validate this approach on a variety of platforms, including Intel, AMD, and ARM CPUs, operating systems such as Windows, macOS, Android, and iOS, and in environments like VMWare, KVM, and VirtualBox. Extensive evaluation shows that WebAssembly-based fingerprinting significantly improves identification accuracy. We also propose mitigation strategies to reduce the privacy risks associated with this method, which could be integrated into future browser designs to better protect user privacy.