@fanboynz/network-scanner 3.0.2 → 3.1.0

package/lib/fingerprint.js

@@ -28,13 +28,24 @@ const FINGERPRINT_CACHE_MAX = 500;
 
 // User agent collections with latest versions
 const USER_AGENT_COLLECTIONS = Object.freeze(new Map([
-  ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['chrome_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['chrome_linux', "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['firefox', "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['firefox_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['firefox_linux', "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['safari', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Safari/605.1.15"]
+  // Chrome version uses the reduced 'X.0.0.0' privacy-preserving form (per
+  // Chrome's UA reduction since v101). The full build (148.0.7778.179) is
+  // not exposed via UA in modern Chrome — UA-Client-Hints carries that
+  // separately. User confirmed Chrome 148 stable as of late May 2026.
+  ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  ['chrome_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  ['chrome_linux', "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  // Firefox 151 stable (user-confirmed: 151.0.2). UA convention is to use
+  // major.minor for both rv: and Firefox/ — patch level is not customary
+  // in the UA string and matches existing nwss style.
+  ['firefox', "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  ['firefox_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  ['firefox_linux', "Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  // Safari 19.5 estimated current stable as of late May 2026 (macOS Tahoe).
+  // Not user-confirmed; adjust if a more recent Safari version is verified.
+  // The Version/X.Y prefix is what fingerprinters key off; Safari/605.1.15
+  // is the long-stable WebKit version string (~unchanged since Safari 17).
+  ['safari', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/19.5 Safari/605.1.15"]
 ]));
 
 // GPU pool — realistic vendor/renderer combos per OS (used for WebGL spoofing)
@@ -248,7 +259,15 @@ async function validatePageForInjection(page, currentUrl, forceDebug) {
     }
     await Promise.race([
       page.evaluate(() => document.readyState || 'loading'),
-      new Promise((_, reject) => setTimeout(() => reject(new Error('Page evaluation timeout')), 1500))
+      new Promise((_, reject) => {
+        // unref so a still-pending race timer (page.evaluate won) doesn't
+        // hold the Node event loop alive for up to 1.5s past scan exit.
+        // Same pattern as the nettools timer unrefs in 83209d4 / 0c5d644;
+        // closes the last known node-side unref'd setTimeout in the
+        // fingerprint module.
+        const t = setTimeout(() => reject(new Error('Page evaluation timeout')), 1500);
+        if (typeof t.unref === 'function') t.unref();
+      })
     ]);
     return true;
   } catch (validationErr) {
@@ -506,6 +525,21 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             configurable: true,
             enumerable: true
           });
+
+          // Belt-and-suspenders: some older Chromium-driver setups leave a
+          // `webdriver` attribute on the <html> element (different surface
+          // from navigator.webdriver). DataDome and similar detectors
+          // check both. Modern Puppeteer with ignoreDefaultArgs:
+          // ['--enable-automation'] (set in nwss.js's createBrowser) doesn't
+          // emit this attribute, so this is defensive against rare edge
+          // cases. documentElement should exist by evaluateOnNewDocument
+          // time; wrapped in optional-chaining + try/catch for the contexts
+          // where it doesn't.
+          try {
+            if (document?.documentElement?.hasAttribute('webdriver')) {
+              document.documentElement.removeAttribute('webdriver');
+            }
+          } catch (_) {}
         }, 'webdriver removal');
 
         // Remove automation properties
@@ -567,7 +601,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 // consistent number. Was hardcoded "146.0.0.0" which lied
                 // any time the UA was rotated to a different Chrome major.
                 const m = userAgent.match(/Chrome\/(\d+)/);
-                const major = m ? m[1] : '146';
+                const major = m ? m[1] : '148';
                 return {
                   name: "Chrome",
                   version: `${major}.0.0.0`,
@@ -814,16 +848,27 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         safeExecute(() => {
           let vendor = 'Google Inc.';
           let product = 'Gecko';
-          
+          // productSub is a legacy Mozilla-era property: '20030107' for
+          // every browser EXCEPT Firefox (which uses '20100101'). Real
+          // Chrome / Safari / etc. all report '20030107'. Real Firefox
+          // reports '20100101'. Common bot-detection signal because
+          // anti-detection libraries often spoof UA but forget this.
+          // vendorSub is always '' across all browsers (legacy/unused).
+          let productSub = '20030107';
+          const vendorSub = '';
+
           if (userAgent.includes('Firefox')) {
             vendor = '';
+            productSub = '20100101';
           } else if (userAgent.includes('Safari') && !userAgent.includes('Chrome')) {
             vendor = 'Apple Computer, Inc.';
           }
-          
+
           const vendorProps = {
             vendor: { get: () => vendor },
-            product: { get: () => product }
+            product: { get: () => product },
+            productSub: { get: () => productSub },
+            vendorSub: { get: () => vendorSub }
           };
           spoofNavigatorProperties(navigator, vendorProps);
         }, 'vendor/product spoofing');
@@ -872,8 +917,15 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 platformVersion: platformVersion,
                 fullVersionList: [
                   { brand: 'Not:A-Brand', version: '99.0.0.0' },
-                  { brand: 'Google Chrome', version: majorVersion + '.0.7632.160' },
-                  { brand: 'Chromium', version: majorVersion + '.0.7632.160' }
+                  // Build number 7778.179 matches real Chrome 148 stable
+                  // (per user-confirmed installed version as of late May 2026).
+                  // Prior 7632.160 was Chrome 145's build — outdated for 148.
+                  // If Chrome major bumps in future, update this build number
+                  // too — fullVersionList being inconsistent with the major
+                  // version is a fingerprint-detection signal (a real Chrome
+                  // 148 install would never report a 7632.x build).
+                  { brand: 'Google Chrome', version: majorVersion + '.0.7778.179' },
+                  { brand: 'Chromium', version: majorVersion + '.0.7778.179' }
                 ]
               };
               // Only return requested hints
@@ -1270,6 +1322,23 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (window.Notification && Notification.requestPermission) {
             Notification.requestPermission = () => Promise.resolve('default');
           }
+
+          // Notification.permission STATIC PROPERTY — distinct from the
+          // requestPermission() method patched above. DataDome and similar
+          // detectors read Notification.permission directly. Real Chrome
+          // with no granted permission returns 'default'; headless Chrome
+          // returns 'denied'. Without this override the prior block (which
+          // only patched the method) leaves the static property as a live
+          // headless tell. Wrapped in try/catch because some embedded
+          // contexts make Notification non-configurable.
+          if (window.Notification) {
+            try {
+              Object.defineProperty(Notification, 'permission', {
+                get: () => 'default',
+                configurable: true
+              });
+            } catch (_) {}
+          }
         }, 'permissions API spoofing');
 
         // Media Device Spoofing
@@ -1299,26 +1368,198 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             const sY = Math.floor(Math.random() * 50) + 20;
             Object.defineProperty(window, 'screenX', { get: () => sX });
             Object.defineProperty(window, 'screenY', { get: () => sY });
+            // screenLeft / screenTop are the legacy IE-era aliases for
+            // screenX / screenY; real Chrome exposes them as identical
+            // values. Headless / spoofers often leave them undefined or 0,
+            // which is a tell since the screenX/Y patch above changed
+            // those values to be non-zero. Mirror them explicitly so the
+            // four properties stay consistent.
+            Object.defineProperty(window, 'screenLeft', { get: () => sX });
+            Object.defineProperty(window, 'screenTop', { get: () => sY });
           }
         }, 'window dimension spoofing');
 
+        // Modern Chrome API stubs — these APIs exist in real desktop
+        // Chrome but may be missing or wrong in headless. Detectors check
+        // presence + minimal shape as a 'real browser?' signal. Each one
+        // is wrapped individually so a failure on one doesn't break the
+        // others, and the existence checks let real-Chrome paths
+        // (where the property already exists with the right value) skip
+        // the override entirely.
+        safeExecute(() => {
+          // Document.hasStorageAccess() — Storage Access API. Real Chrome
+          // returns a Promise<boolean>; resolve with true to mimic the
+          // common 'storage already accessible (top-level context)' state.
+          if (document && typeof document.hasStorageAccess !== 'function') {
+            try {
+              Object.defineProperty(document, 'hasStorageAccess', {
+                value: () => Promise.resolve(true),
+                configurable: true,
+                writable: true
+              });
+            } catch (_) {}
+          }
+        }, 'document.hasStorageAccess stub');
+
+        safeExecute(() => {
+          // navigator.userActivation — UserActivation interface tracking
+          // whether the page has had a user gesture. Real Chrome exposes
+          // {hasBeenActive: bool, isActive: bool}. After interaction
+          // simulation (interact / ghost-cursor) both should be true; we
+          // default to true so a site checking before our synthetic
+          // gestures fire still sees a 'user activated' page.
+          //
+          // ALWAYS override — the prior guard `if (!navigator.userActivation)`
+          // meant this code only fired when the property was missing.
+          // But navigator.userActivation has existed in Chrome since
+          // version 88 (Jan 2021) — modern Chrome (the UA we spoof)
+          // always has it natively. The guard therefore prevented the
+          // spoof from ever firing in normal use; real headless Chrome's
+          // hasBeenActive=false / isActive=false leaked through, an
+          // easy bot signal that many modern detectors check
+          // (DataDome, PerimeterX, the AdsCore-integrated popunder
+          // loaders like blazyload.min.js which probe userActivation 6×
+          // to gate window.open). Drop the guard so we always shadow
+          // the prototype-level getter with our true/true values.
+          if (navigator) {
+            try {
+              const userActivation = {
+                hasBeenActive: true,
+                isActive: true
+              };
+              Object.defineProperty(navigator, 'userActivation', {
+                get: () => userActivation,
+                configurable: true
+              });
+            } catch (_) {}
+          }
+        }, 'navigator.userActivation stub');
+
+        safeExecute(() => {
+          // navigator.getInstalledRelatedApps() — Chrome-specific API
+          // returning installed PWAs/native apps related to the current
+          // origin. Real Chrome has this as a function; absence is a tell
+          // for non-Chrome / headless. Return empty array (the common
+          // no-related-apps case) — same as a fresh real-Chrome profile.
+          if (navigator && typeof navigator.getInstalledRelatedApps !== 'function') {
+            try {
+              Object.defineProperty(navigator, 'getInstalledRelatedApps', {
+                value: () => Promise.resolve([]),
+                configurable: true,
+                writable: true
+              });
+            } catch (_) {}
+          }
+        }, 'navigator.getInstalledRelatedApps stub');
+
+        // screen.orientation — modern browsers expose a ScreenOrientation
+        // interface ({type, angle, addEventListener, lock, unlock, ...}).
+        // Missing entirely in some headless contexts; presence + shape are
+        // checked by DataDome and similar detectors as a "real browser"
+        // signal. The values below mirror real desktop Chrome's landscape
+        // primary orientation; lock()/unlock() match real-Chrome behaviour
+        // when no fullscreen element is active (lock rejects with
+        // NotSupportedError, unlock is a no-op). Object identity is stable
+        // (hoisted out of the getter) so reference-equality checks pass.
+        safeExecute(() => {
+          if (!window.screen.orientation) {
+            const orientation = {
+              type: 'landscape-primary',
+              angle: 0,
+              onchange: null,
+              addEventListener: () => {},
+              removeEventListener: () => {},
+              dispatchEvent: () => false,
+              lock: () => Promise.reject(new Error('NotSupportedError')),
+              unlock: () => {}
+            };
+            Object.defineProperty(window.screen, 'orientation', {
+              get: () => orientation,
+              configurable: true
+            });
+          }
+        }, 'screen.orientation spoofing');
+
         // navigator.connection — missing or incomplete in headless.
         // Object literal hoisted out of the getter so identity is stable
         // across reads. Real Chrome's NetworkInformation instance has
         // `navigator.connection === navigator.connection`; previously
         // the getter returned a new object on every read, which a
         // tracker could detect by comparing references.
+        //
+        // Per-domain seeded values (FNV-1a hash of hostname): hardcoded
+        // '4g/wifi/50/10' across every site was a cross-publisher
+        // tracking axis -- a fingerprinter aggregating across N sites
+        // running the same script saw identical connection values
+        // everywhere, useful as a stable identity signal. Domain-seeding
+        // breaks that while keeping values stable per-domain (real
+        // navigator.connection IS stable per-session; per-navigation
+        // randomness would be its own anomaly). Same pattern as the
+        // Battery API fix in c1affe4.
         safeExecute(() => {
           if (!navigator.connection) {
+            let h = 0x811c9dc5;
+            const domain = (window.location && window.location.hostname) || '';
+            for (let i = 0; i < domain.length; i++) {
+              h = ((h ^ domain.charCodeAt(i)) * 0x01000193) >>> 0;
+            }
+            // 4g 75%, 3g 18%, 2g 5%, slow-2g 2% — distribution biased
+            // toward modern broadband since most page loads happen there.
+            const etRoll = (h >>> 4) % 100;
+            const effectiveType = etRoll < 75 ? '4g'
+                                : etRoll < 93 ? '3g'
+                                : etRoll < 98 ? '2g'
+                                : 'slow-2g';
+            // rtt + downlink MUST correlate with effectiveType — the
+            // W3C Network Information API defines effectiveType as a
+            // CLASSIFICATION of rtt/downlink ranges, so producing
+            // slow-2g with 32.5 Mbps downlink (as the prior uncorrelated
+            // version did) is physically impossible in real Chrome. A
+            // detector cross-checking effectiveType against rtt/downlink
+            // magnitudes catches that trivially. Ranges below match the
+            // spec's boundaries:
+            //   slow-2g: rtt > 2000ms, downlink < 0.05 Mbps
+            //   2g:      rtt > 1400ms, downlink < 0.07 Mbps
+            //   3g:      rtt > 270ms,  downlink < 0.7 Mbps
+            //   4g:      rtt < 270ms,  downlink >= 0.7 Mbps
+            const rttRange = effectiveType === '4g'      ? [25, 250]
+                           : effectiveType === '3g'      ? [275, 1400]
+                           : effectiveType === '2g'      ? [1425, 2000]
+                           : /* slow-2g */                 [2025, 5000];
+            const dlRange  = effectiveType === '4g'      ? [1.0, 50.0]
+                           : effectiveType === '3g'      ? [0.1, 0.7]
+                           : effectiveType === '2g'      ? [0.05, 0.07]
+                           : /* slow-2g */                 [0.01, 0.05];
+            // 25ms-bucketed rtt (Chrome's privacy rounding granularity)
+            const rttRaw = rttRange[0] + (((h >>> 8) % 1000) / 1000) * (rttRange[1] - rttRange[0]);
+            const rtt = Math.round(rttRaw / 25) * 25;
+            // 0.025-precision downlink (Chrome's privacy rounding)
+            const dlRaw = dlRange[0] + (((h >>> 16) % 1000) / 1000) * (dlRange[1] - dlRange[0]);
+            const downlink = Math.round(dlRaw * 40) / 40;
+            // saveData ~5% — most users don't enable Data Saver
+            const saveData = ((h >>> 24) & 0xff) < 13;
+            // NetworkInformation extends EventTarget — real Chrome has
+            // dispatchEvent in addition to add/removeEventListener.
+            // Returning true per the EventTarget spec for the
+            // no-listeners case (no preventDefault called).
             const connectionInfoStable = {
-              effectiveType: '4g',
-              rtt: 50,
-              downlink: 10,
-              saveData: false,
-              type: 'wifi',
+              effectiveType,
+              rtt,
+              downlink,
+              saveData,
               addEventListener: () => {},
-              removeEventListener: () => {}
+              removeEventListener: () => {},
+              dispatchEvent: () => true
             };
+            // NetworkInformation.type is DEPRECATED and only exposed on
+            // mobile Chrome. On desktop Chrome (Windows/Mac/Linux) it's
+            // not present — `'type' in navigator.connection` returns
+            // false. Only include it when spoofing a mobile UA, else
+            // its presence is a fingerprint tell against the desktop
+            // platform our UA collection currently advertises.
+            if (/Android|iPhone|iPad|iPod|Mobile/i.test(userAgent || '')) {
+              connectionInfoStable.type = ((h >>> 12) % 10) < 7 ? 'wifi' : 'cellular';
+            }
             Object.defineProperty(navigator, 'connection', {
               get: () => connectionInfoStable
             });
@@ -1354,29 +1595,140 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'speechSynthesis spoofing');
 
-        // AudioContext — headless has distinct audio processing fingerprint
+        // AudioContext fingerprint spoofing — intercept the actual READ
+        // surface fingerprinters care about.
+        //
+        // Previous spoof modified default frequency / threshold values on
+        // OscillatorNode / DynamicsCompressor at create time. That was
+        // essentially useless: real audio fingerprinters do
+        //   const osc = ctx.createOscillator();
+        //   osc.frequency.value = 1000;  // ← OVERWRITES our noise
+        //   ... render ... ctx.startRendering().then(buf => hash(buf.getChannelData(0)));
+        // The noise we put on the default 440 Hz was blown away the
+        // moment the probe set its own value, and never affected the
+        // rendered output the fingerprinter actually hashes.
+        //
+        // Correct attack surface: AudioBuffer.prototype.getChannelData.
+        // EVERY audio fingerprinter ends up reading the rendered buffer
+        // via this method (it's the only way to get Float32Array data
+        // out). Wrap it at the prototype so all AudioBuffers (from
+        // OfflineAudioContext.startRendering, from AudioBufferSourceNode,
+        // from decodeAudioData, etc.) get the same treatment.
+        //
+        // Noise design:
+        //   - sparse (every 100th sample) so audio remains perceptually
+        //     identical if actually played
+        //   - tiny magnitude (±0.00005) so the hash differs but the wave
+        //     shape doesn't
+        //   - deterministic per session (audioSeed) so repeated renders
+        //     of the same audio produce the same noised output
+        //   - per-(buffer, channel) idempotency via WeakMap: calling
+        //     getChannelData(0) twice on the same buffer returns the
+        //     same data (real Chrome's getChannelData returns a stable
+        //     Float32Array view; double-noising on second call would be
+        //     detectable)
         safeExecute(() => {
-          if (window.AudioContext || window.webkitAudioContext) {
-            const OrigAudioContext = window.AudioContext || window.webkitAudioContext;
-            const origCreateOscillator = OrigAudioContext.prototype.createOscillator;
-            const origCreateDynamicsCompressor = OrigAudioContext.prototype.createDynamicsCompressor;
-            
-            // Inject deterministic noise into audio output — consistent per session
-            const audioNoiseSeed = Math.random() * 0.01 - 0.005;
-            const compNoiseSeed = Math.random() * 0.1 - 0.05;
-            
-            OrigAudioContext.prototype.createOscillator = function() {
-              const osc = origCreateOscillator.call(this);
-              const origFreq = osc.frequency.value;
-              osc.frequency.value = origFreq + audioNoiseSeed;
-              return osc;
+          if (typeof AudioBuffer === 'undefined' || !AudioBuffer.prototype || typeof AudioBuffer.prototype.getChannelData !== 'function') return;
+
+          const audioSeed = Math.floor(Math.random() * 2147483647);
+          const noisedChannels = new WeakMap(); // buffer -> Set<channel>
+
+          // Shared noise function so getChannelData and copyFromChannel
+          // produce noise at the SAME source-channel positions
+          // (mod 100). A detector comparing a value from one method
+          // against the same source position read via the other method
+          // sees consistent noised values — no cross-method anomaly.
+          const noiseAt = (channel, srcIdx) => {
+            const n = ((audioSeed ^ srcIdx ^ (channel * 31)) * 1103515245 + 12345) & 0x7fffffff;
+            return (n / 0x7fffffff) * 0.0001 - 0.00005;
+          };
+
+          const origGetChannelData = AudioBuffer.prototype.getChannelData;
+          const wrappedGetChannelData = function(channel) {
+            const data = origGetChannelData.call(this, channel);
+            // Cap large buffers — per-sample loop on multi-MB Float32Arrays
+            // is too slow. 1M samples ≈ 22.6s of 44.1kHz mono audio; way
+            // beyond what fingerprinters use (typically 44k = 1s).
+            if (data.length > 1000000) return data;
+
+            let channelSet = noisedChannels.get(this);
+            if (!channelSet) {
+              channelSet = new Set();
+              noisedChannels.set(this, channelSet);
+            }
+            if (!channelSet.has(channel)) {
+              for (let i = 0; i < data.length; i += 100) {
+                data[i] = Math.max(-1, Math.min(1, data[i] + noiseAt(channel, i)));
+              }
+              channelSet.add(channel);
+            }
+            return data;
+          };
+          maskAsNative(wrappedGetChannelData, 'getChannelData');
+          AudioBuffer.prototype.getChannelData = wrappedGetChannelData;
+
+          // copyFromChannel — alternative read API. Without wrapping it,
+          // a fingerprinter calling `buffer.copyFromChannel(dest, 0, 0)`
+          // instead of `buffer.getChannelData(0)` gets the unmodified
+          // canonical Chrome data, fully bypassing our getChannelData
+          // noise. Same defense logic applied here; noise aligned by
+          // SOURCE channel position (startInChannel + destination
+          // offset) so cross-method consistency holds.
+          if (typeof AudioBuffer.prototype.copyFromChannel === 'function') {
+            const origCopyFromChannel = AudioBuffer.prototype.copyFromChannel;
+            const wrappedCopyFromChannel = function(destination, channelNumber, startInChannel) {
+              origCopyFromChannel.call(this, destination, channelNumber, startInChannel);
+              if (!destination || destination.length > 1000000) return;
+              // If getChannelData has ALREADY noised this (buffer,
+              // channel) in-place, origCopyFromChannel just copied the
+              // already-noised data into `destination`. Adding our own
+              // noise on top would produce 2× noise -- detectable via
+              // cross-method consistency probes
+              // (data[i] === dest[i] should hold). Skip when previously
+              // noised.
+              const channelSet = noisedChannels.get(this);
+              if (channelSet && channelSet.has(channelNumber)) return;
+              const startSrc = startInChannel || 0;
+              // Align noise positions to the same mod-100 source-channel
+              // grid getChannelData uses. firstNoisedSrc is the smallest
+              // multiple of 100 >= startSrc; map back to destination index.
+              const firstNoisedSrc = Math.ceil(startSrc / 100) * 100;
+              const firstNoisedDest = firstNoisedSrc - startSrc;
+              for (let destI = firstNoisedDest; destI < destination.length; destI += 100) {
+                const srcIdx = startSrc + destI;
+                destination[destI] = Math.max(-1, Math.min(1, destination[destI] + noiseAt(channelNumber, srcIdx)));
+              }
             };
-            OrigAudioContext.prototype.createDynamicsCompressor = function() {
-              const comp = origCreateDynamicsCompressor.call(this);
-              const origThreshold = comp.threshold.value;
-              comp.threshold.value = origThreshold + compNoiseSeed;
-              return comp;
+            maskAsNative(wrappedCopyFromChannel, 'copyFromChannel');
+            AudioBuffer.prototype.copyFromChannel = wrappedCopyFromChannel;
+          }
+
+          // copyToChannel — page WRITES to the buffer, overwriting any
+          // existing contents (including our in-place noise from a prior
+          // getChannelData call). Without this wrap, the noisedChannels
+          // flag remained set but the underlying data was fresh -- next
+          // getChannelData would SKIP noise (channelSet.has(ch) === true)
+          // and return the page's probe pattern unnoised. A fingerprinter
+          // priming the buffer with a known pattern then re-reading via
+          // getChannelData would see the canonical (unspoofed) values,
+          // confirming our spoof isn't actually noising.
+          // Fix: clear the noisedChannels flag for the written channel
+          // before forwarding the write, so the next read re-noises.
+          if (typeof AudioBuffer.prototype.copyToChannel === 'function') {
+            const origCopyToChannel = AudioBuffer.prototype.copyToChannel;
+            const wrappedCopyToChannel = function(source, channelNumber, startInChannel) {
+              // Forward FIRST. If the original throws (invalid args,
+              // detached buffer, etc.) the buffer is unchanged and we
+              // must NOT clear the noisedChannels flag — otherwise the
+              // next getChannelData would re-noise already-noised data,
+              // stacking 2x noise that drifts on subsequent reads.
+              const result = origCopyToChannel.call(this, source, channelNumber, startInChannel);
+              const channelSet = noisedChannels.get(this);
+              if (channelSet) channelSet.delete(channelNumber);
+              return result;
             };
+            maskAsNative(wrappedCopyToChannel, 'copyToChannel');
+            AudioBuffer.prototype.copyToChannel = wrappedCopyToChannel;
           }
         }, 'AudioContext fingerprint spoofing');
 
@@ -1447,50 +1799,143 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'image loading obfuscation');
 
-        // CSS Media Query Spoofing
+        // CSS Media Query Spoofing — specifically the hardware-presence
+        // queries that distinguish a real desktop browser from headless.
         //
-        // CSS media query — pass through normally. Screen dimensions are already spoofed
-        // so matchMedia results will naturally reflect the spoofed values.
-        // No modification needed here.
+        // Headless Chrome reports NO hover device and NO fine pointer
+        // (there's no mouse hardware attached). matchMedia('(any-hover:
+        // hover)') returns matches=false in headless, matches=true in
+        // real desktop. CreepJS and DataDome both probe these queries
+        // explicitly as a hard binary 'is this real browser hardware?'
+        // signal — one of the biggest single contributors to CreepJS's
+        // headless-detection score.
+        //
+        // Pass-through for all OTHER queries (max-width, prefers-color-
+        // scheme, etc.) so legitimate responsive-design checks still work.
+        // Screen-dimension queries naturally reflect the already-spoofed
+        // screen.width/height — no extra handling needed for those.
+        safeExecute(() => {
+          if (typeof window.matchMedia !== 'function') return;
+          const origMatchMedia = window.matchMedia;
+          // Make a fake MediaQueryList that quacks like the real thing.
+          // Real Chrome's MediaQueryList implements EventTarget, so the
+          // listener methods need to exist as callable no-ops.
+          const fakeMql = (query, matches) => ({
+            matches,
+            media: query,
+            onchange: null,
+            addEventListener: () => {},
+            removeEventListener: () => {},
+            addListener: () => {},      // deprecated alias but still present in Chrome
+            removeListener: () => {},
+            dispatchEvent: () => false
+          });
+          window.matchMedia = function(query) {
+            const q = String(query || '').toLowerCase();
+            // Spoof to "yes, mouse + hover hardware present" — the real
+            // desktop answer. Match both `(any-hover: hover)` and the
+            // legacy `(hover: hover)`; same for pointer.
+            if (q.includes('any-hover: hover') || q.includes('hover: hover')) {
+              return fakeMql(query, true);
+            }
+            if (q.includes('any-hover: none') || q.includes('hover: none')) {
+              return fakeMql(query, false);
+            }
+            if (q.includes('any-pointer: fine') || q.includes('pointer: fine')) {
+              return fakeMql(query, true);
+            }
+            if (q.includes('any-pointer: none') || q.includes('pointer: none')) {
+              return fakeMql(query, false);
+            }
+            if (q.includes('any-pointer: coarse') || q.includes('pointer: coarse')) {
+              return fakeMql(query, false);  // desktop = no coarse touch pointer
+            }
+            // Anything else falls through to real matchMedia (responsive
+            // queries, color-scheme, reduced-motion, etc. all behave normally).
+            return origMatchMedia.call(this, query);
+          };
+        }, 'matchMedia hover/pointer spoofing');
 
         // Enhanced WebRTC Spoofing
         //
+        // Previously stripped only RFC1918 private IPs from ICE candidates,
+        // which leaked the STUN-discovered public IP (`typ srflx`) — visible
+        // in CreepJS's WebRTC section and trivially also probed by DataDome
+        // and other modern fingerprint suites. STUN traffic is UDP, so it
+        // bypasses the SOCKS5 proxy entirely, meaning the real host IP
+        // reaches the fingerprinter regardless of proxy config.
+        //
+        // Fix: strip EVERY ICE candidate (host / srflx / prflx / relay /
+        // mDNS). The scanner never needs functional WebRTC peer connections,
+        // so complete suppression is the right trade-off — the page sees
+        // ICE gathering complete with zero candidates, indistinguishable
+        // from a real browser with no usable network interfaces. The
+        // null-candidate sentinel (end-of-gathering signal) still fires so
+        // calling code that awaits ICE-complete doesn't hang.
         safeExecute(() => {
           if (window.RTCPeerConnection) {
             const OriginalRTC = window.RTCPeerConnection;
+            // Filter helper hoisted so both addEventListener and the
+            // property-handler paths apply identical filtering.
+            const stripCandidate = (event) => !event.candidate;
+
             window.RTCPeerConnection = function(...args) {
               const pc = new OriginalRTC(...args);
-              
-              // Intercept onicecandidate to strip local IP addresses
+
               const origAddEventListener = pc.addEventListener.bind(pc);
-              pc.addEventListener = function(type, listener, ...rest) {
+              // Named function (not anonymous) so maskAsNative gets a sensible
+              // 'addEventListener' name when reporting [native code]. The
+              // bulk-mask block at end of applyFingerprintProtection masks
+              // window-level functions ONCE; per-instance functions created
+              // inside this factory (one new closure per `new RTCPeerConnection()`)
+              // would slip through unmasked — detectable via
+              // pc.addEventListener.toString(). Mask each per-instance to
+              // close that.
+              const addEventListenerWrap = function(type, listener, ...rest) {
                 if (type === 'icecandidate') {
                   const wrappedListener = function(event) {
-                    if (event.candidate && event.candidate.candidate) {
-                      // Strip candidates containing local/private IPs
-                      const c = event.candidate.candidate;
-                      if (c.includes('.local') || /(?:10|172\.(?:1[6-9]|2\d|3[01])|192\.168)\./.test(c)) {
-                        return; // suppress local IP candidates
-                      }
-                    }
-                    listener.call(this, event);
+                    if (stripCandidate(event)) listener.call(this, event);
                   };
                   return origAddEventListener(type, wrappedListener, ...rest);
                 }
                 return origAddEventListener(type, listener, ...rest);
               };
-              
-              // Also intercept the property-based handler
-              let _onicecandidateHandler = null;
+              maskAsNative(addEventListenerWrap, 'addEventListener');
+              pc.addEventListener = addEventListenerWrap;
+
+              // Property-based handler. Previously this just stored the
+              // handler in a local variable and never wired it up — pages
+              // setting `pc.onicecandidate = fn` got NO events at all,
+              // detectable as a mismatch vs addEventListener (which DID
+              // fire). Now we forward the wrapped handler to the underlying
+              // setter so both paths behave identically: the page sees only
+              // the null-candidate sentinel. Both get/set extracted to named
+              // consts so maskAsNative can wrap them — without this, a probe
+              // doing `Object.getOwnPropertyDescriptor(pc, 'onicecandidate').get.toString()`
+              // would see the arrow-function source instead of [native code].
+              let _userHandler = null;
+              const getOnIceCandidate = function() { return _userHandler; };
+              const setOnIceCandidate = function(handler) {
+                _userHandler = handler;
+                // Use the prototype setter so we don't infinite-loop on
+                // our own defineProperty. The wrapped handler applies
+                // the same filter as addEventListener.
+                const proto = Object.getPrototypeOf(pc);
+                const desc = Object.getOwnPropertyDescriptor(proto, 'onicecandidate');
+                if (desc && desc.set) {
+                  desc.set.call(pc, typeof handler === 'function'
+                    ? function(event) { if (stripCandidate(event)) handler.call(this, event); }
+                    : handler);
+                }
+              };
+              maskAsNative(getOnIceCandidate, 'get onicecandidate');
+              maskAsNative(setOnIceCandidate, 'set onicecandidate');
               Object.defineProperty(pc, 'onicecandidate', {
-                get: () => _onicecandidateHandler,
-                set: (handler) => {
-                  _onicecandidateHandler = handler;
-                  // No-op — the addEventListener wrapper above handles filtering
-                },
+                get: getOnIceCandidate,
+                set: setOnIceCandidate,
                 configurable: true
               });
-              
+
               return pc;
             };
             Object.setPrototypeOf(window.RTCPeerConnection, OriginalRTC);
@@ -1606,6 +2051,109 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           };
         }, 'performance timing obfuscation');
 
+        // PerformanceNavigationTiming jitter — wrap entries returned by
+        // performance.getEntriesByType('navigation') with a Proxy that adds
+        // ±0.5ms jitter to each timing field. Headless Chrome's navigation
+        // timings are suspiciously deterministic (no UI competing for the
+        // main thread, no GC stalls from background rendering); adding
+        // small jitter makes the per-phase durations look human-like.
+        // Probed by some ad-network fingerprinters (e.g. ct.captcha-delivery,
+        // popunder loaders sampling for fraud heuristics) as a 'robotic
+        // timing' signal. Per-entry jitter offsets cached via WeakMap so
+        // repeated reads on the same entry stay consistent (real navigation
+        // timing values are stable per navigation).
+        //
+        // Scope: navigation entries only. 'resource' entries (per-subresource
+        // timing) and PerformanceObserver-delivered entries are NOT wrapped
+        // — significant additional complexity for marginal gain since
+        // typical fingerprinters check only navigation timing.
+        safeExecute(() => {
+          if (typeof performance === 'undefined' || typeof performance.getEntriesByType !== 'function') return;
+
+          const TIMING_FIELDS = new Set([
+            'fetchStart', 'startTime', 'duration', 'redirectStart', 'redirectEnd',
+            'workerStart',  // service-worker startup timing (was missing — partial-coverage tell)
+            'domainLookupStart', 'domainLookupEnd',
+            'connectStart', 'connectEnd', 'secureConnectionStart',
+            'requestStart', 'responseStart', 'responseEnd',
+            'domInteractive', 'domContentLoadedEventStart', 'domContentLoadedEventEnd',
+            'domComplete', 'loadEventStart', 'loadEventEnd'
+          ]);
+          const wrappedEntries = new WeakMap();
+
+          const wrapEntry = (entry) => {
+            if (entry == null || typeof entry !== 'object') return entry;
+            const cached = wrappedEntries.get(entry);
+            if (cached) return cached.proxy;
+
+            // Per-(entry, field) jitter cache so repeated reads of the
+            // same timing field return the SAME jittered value (real
+            // PerformanceNavigationTiming values are immutable per
+            // navigation; jitter-noise on every read would be detectable
+            // as anomalous). Don't jitter 0 -- those mean 'event never
+            // occurred' (e.g. secureConnectionStart=0 for non-HTTPS);
+            // adding noise would invent a connection that didn't happen.
+            const jitterCache = new Map();
+            const getJittered = (field, value) => {
+              if (typeof value !== 'number' || value === 0) return value;
+              let v = jitterCache.get(field);
+              if (v === undefined) {
+                v = value + (Math.random() - 0.5); // ±0.5ms
+                jitterCache.set(field, v);
+              }
+              return v;
+            };
+
+            // Per-property bound-method cache so accessing the same method
+            // twice returns the same function identity (`p.toJSON === p.toJSON`
+            // is true on real Chrome; without caching, Proxy returns a new
+            // bound function every access — strict-equality probes catch us).
+            // Bound methods also maskAsNative'd so their .toString() reports
+            // '[native code]' rather than the bound-fn source.
+            const methodCache = new Map();
+
+            const proxy = new Proxy(entry, {
+              get(target, prop) {
+                const value = target[prop];
+                if (TIMING_FIELDS.has(prop)) return getJittered(prop, value);
+                if (typeof value === 'function') {
+                  let m = methodCache.get(prop);
+                  if (m === undefined) {
+                    if (prop === 'toJSON') {
+                      // toJSON drives JSON.stringify; apply same per-field
+                      // jitter cache to the serialised object so direct-read
+                      // and JSON-roundtrip yield identical values.
+                      m = function() {
+                        const json = value.call(target);
+                        for (const f of TIMING_FIELDS) {
+                          if (f in json) json[f] = getJittered(f, json[f]);
+                        }
+                        return json;
+                      };
+                    } else {
+                      m = value.bind(target);
+                    }
+                    maskAsNative(m, prop);
+                    methodCache.set(prop, m);
+                  }
+                  return m;
+                }
+                return value;
+              }
+            });
+            wrappedEntries.set(entry, { proxy, jitterCache, methodCache });
+            return proxy;
+          };
+
+          const origGetByType = performance.getEntriesByType;
+          performance.getEntriesByType = function(type) {
+            const entries = origGetByType.call(this, type);
+            if (type === 'navigation') return entries.map(wrapEntry);
+            return entries;
+          };
+          maskAsNative(performance.getEntriesByType, 'getEntriesByType');
+        }, 'PerformanceNavigationTiming jitter');
+
         // Canvas fingerprinting protection
         //
         safeExecute(() => {
@@ -1635,29 +2183,46 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             return imageData;
           };
 
-          const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
-          HTMLCanvasElement.prototype.toDataURL = function(...args) {
-            // Apply same deterministic noise by reading through spoofed getImageData
+          // Cache of canvases already noised in their current bytes. toDataURL
+          // and toBlob both do a getImageData + putImageData round-trip to
+          // bake noise into the canvas before the actual export. Each
+          // round-trip is O(width × height) -- ~2M iterations for a 1920x1080
+          // canvas, capped at 500k pixels via the size guard below.
+          //
+          // Repeated calls on the SAME canvas don't need re-noising: the
+          // first call already wrote noised pixel data into the canvas via
+          // putImageData. Skip the round-trip for subsequent calls; the
+          // canvas backing store still has the noised content. Trade-off:
+          // if a page redraws between calls (canvas.drawImage, fillRect,
+          // etc.), the new content won't be re-noised. Acceptable for the
+          // common fingerprinter pattern (draw probe content -> single
+          // toDataURL -> compare to known signature); pathological for
+          // animated canvases that re-toDataURL per frame. WeakMap so a
+          // GC'd canvas drops its noise-cache entry automatically.
+          const noisedCanvases = new WeakMap();
+
+          const applyCanvasNoise = function(canvas) {
+            if (noisedCanvases.has(canvas)) return;
             try {
-              const ctx = this.getContext('2d');
-              if (ctx && this.width > 0 && this.height > 0 && this.width * this.height < 500000) {
-                const imageData = ctx.getImageData(0, 0, this.width, this.height);
+              const ctx = canvas.getContext('2d');
+              if (ctx && canvas.width > 0 && canvas.height > 0 && canvas.width * canvas.height < 500000) {
+                const imageData = ctx.getImageData(0, 0, canvas.width, canvas.height);
                 ctx.putImageData(imageData, 0, 0);
+                noisedCanvases.set(canvas, true);
               }
             } catch (e) {} // WebGL or other context — skip
+          };
+
+          const originalToDataURL = HTMLCanvasElement.prototype.toDataURL;
+          HTMLCanvasElement.prototype.toDataURL = function(...args) {
+            applyCanvasNoise(this);
             return originalToDataURL.apply(this, args);
           };
 
           const originalToBlob = HTMLCanvasElement.prototype.toBlob;
           if (originalToBlob) {
             HTMLCanvasElement.prototype.toBlob = function(callback, ...args) {
-              try {
-                const ctx = this.getContext('2d');
-                if (ctx && this.width > 0 && this.height > 0 && this.width * this.height < 500000) {
-                  const imageData = ctx.getImageData(0, 0, this.width, this.height);
-                  ctx.putImageData(imageData, 0, 0);
-                }
-              } catch (e) {}
+              applyCanvasNoise(this);
               return originalToBlob.call(this, callback, ...args);
             };
           }
@@ -1665,13 +2230,36 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
 
         // Battery API spoofing
         //
+        // Previously: `Math.random()` for every field, fired on every
+        // evaluateOnNewDocument injection (i.e. every page load). Battery
+        // 'level' jumping from 0.42 to 0.87 to 0.31 across navigations on
+        // the same site is anomalous -- real battery state changes slowly
+        // (minutes, not seconds). Detector noting battery delta across
+        // reloads catches us.
+        //
+        // Now: FNV-1a hash of window.location.hostname seeds all four
+        // fields. Stable per-domain across navigations; varies across
+        // sites (so cross-publisher correlation isn't trivial via this
+        // signal). Also corrects two real-Chrome invariants the old
+        // spoof violated:
+        //   - charging=true  -> chargingTime finite, dischargingTime = Infinity
+        //   - charging=false -> chargingTime = Infinity, dischargingTime finite
+        // The old spoof could produce 'both finite' which never happens
+        // in real Chrome.
         safeExecute(() => {
           if (navigator.getBattery) {
+            // FNV-1a 32-bit hash of the hostname -- cheap, deterministic.
+            let h = 0x811c9dc5;
+            const domain = (window.location && window.location.hostname) || '';
+            for (let i = 0; i < domain.length; i++) {
+              h = ((h ^ domain.charCodeAt(i)) * 0x01000193) >>> 0;
+            }
+            const charging = (h & 1) === 1;
             const batteryState = {
-              charging: Math.random() > 0.5,
-              chargingTime: Math.random() > 0.5 ? Infinity : Math.floor(Math.random() * 3600),
-              dischargingTime: Math.floor(Math.random() * 7200),
-              level: Math.round((Math.random() * 0.7 + 0.25) * 100) / 100,
+              charging,
+              chargingTime: charging ? (((h >>> 4) % 3540) + 60) : Infinity,        // 60..3600s when charging
+              dischargingTime: charging ? Infinity : (((h >>> 8) % 6600) + 600),    // 600..7200s when on battery
+              level: Math.round((((h >>> 16) % 70) + 25)) / 100,                    // 0.25..0.94, 2-decimal precision
               addEventListener: () => {},
               removeEventListener: () => {},
               dispatchEvent: () => true
@@ -1685,10 +2273,20 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         // Enhanced Mouse/Pointer Spoofing
         //
         safeExecute(() => {
-          // Spoof pointer capabilities
-          const spoofedTouchPoints = Math.random() > 0.7 ? 0 : Math.floor(Math.random() * 5) + 1;
+          // Spoof pointer capabilities — UA-consistent. Previous code did
+          //   Math.random() > 0.7 ? 0 : Math.floor(Math.random() * 5) + 1
+          // which randomly told the page 'this Windows Chrome has 3 touch
+          // points' -- a fingerprinter cross-checking userAgent against
+          // maxTouchPoints catches the invariant violation:
+          //   Windows/Mac/Linux Chrome   -> maxTouchPoints = 0
+          //   iOS Safari, Android Chrome -> maxTouchPoints = 5 (typical)
+          //   Touch-laptop hybrid        -> maxTouchPoints = 10 (rare)
+          // Use the spoofed UA (userAgent variable in this closure) to
+          // pick the right value. Mobile UAs get 5; desktop UAs get 0.
+          const isMobileUA = /Android|iPhone|iPad|iPod|Mobile/i.test(userAgent || '');
+          const spoofedTouchPoints = isMobileUA ? 5 : 0;
           if (navigator.maxTouchPoints !== undefined) {
-            safeDefinePropertyLocal(navigator, 'maxTouchPoints', { 
+            safeDefinePropertyLocal(navigator, 'maxTouchPoints', {
               get: () => spoofedTouchPoints
             });
           }
@@ -1810,21 +2408,24 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
 
         }, 'console error suppression');
         
-        // Hide source URL indicators (data: URLs reveal script injection)
-        safeExecute(() => {
-          const originalLocation = window.location;
-          Object.defineProperty(window, 'location', {
-            value: new Proxy(originalLocation, {
-              get: function(target, prop) {
-                if (prop === 'href' && target[prop] && target[prop].includes('data:')) {
-                  return 'about:blank';
-                }
-                return target[prop];
-              }
-            }),
-            configurable: false
-          });
-        }, 'location URL masking');
+        // NOTE: The previous `location URL masking` Proxy was removed.
+        // It wrapped window.location in a Proxy to return 'about:blank' when
+        // location.href.includes('data:') — a bookmarklet/extension-injection
+        // hider. nwss.js always navigates to real http(s) URLs via page.goto(),
+        // so location.href never contains 'data:' and the spoof was dead code
+        // for every real scan path. Costs it imposed before removal:
+        //   - `configurable: false` on window.location blocked page-side
+        //     navigation guards (Cloudflare rocket-loader, ad-script location
+        //     manipulation, popunder teardown) from redefining window.location.
+        //   - Proxy boundary visible via Object.getOwnPropertyDescriptor
+        //     (Proxy's value-as-non-spec-shape is a detectable surface).
+        //   - Page-side Object.defineProperty(location, 'href', ...) calls
+        //     hit the Proxy first, then forwarded to a spec-non-configurable
+        //     property, throwing "Cannot redefine property: href" — log noise
+        //     and a contributor to post-popup browser-unresponsive states on
+        //     popunder sites (eztv1.xyz scan reproduced this).
+        // If a future use case actually loads via data: URL, reintroduce as a
+        // get-trap-only Proxy with configurable:true so pages can override.
 
         // Bulk-mask all spoofed prototype methods so toString() returns "[native code]"
         // Must run AFTER all overrides are applied
@@ -1856,10 +2457,17 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (typeof window.fetch === 'function') maskAsNative(window.fetch, 'fetch');
           if (typeof window.PointerEvent === 'function') maskAsNative(window.PointerEvent, 'PointerEvent');
           if (typeof console.debug === 'function') maskAsNative(console.debug, 'debug');
+          // Methods added in this session — same toString-tampering concern.
+          if (typeof window.matchMedia === 'function') maskAsNative(window.matchMedia, 'matchMedia');
+          if (typeof document.hasStorageAccess === 'function') maskAsNative(document.hasStorageAccess, 'hasStorageAccess');
+          if (typeof navigator.getInstalledRelatedApps === 'function') maskAsNative(navigator.getInstalledRelatedApps, 'getInstalledRelatedApps');
 
           // Mask property getters on navigator
+          // 'userActivation' added in this session; 'productSub'/'vendorSub'
+          // are this commit's additions alongside the existing vendor/product.
           const navProps = ['userAgentData', 'connection', 'pdfViewerEnabled', 'webdriver',
-                            'hardwareConcurrency', 'deviceMemory', 'platform', 'maxTouchPoints'];
+                            'hardwareConcurrency', 'deviceMemory', 'platform', 'maxTouchPoints',
+                            'userActivation', 'vendor', 'product', 'productSub', 'vendorSub'];
           navProps.forEach(prop => {
             // Check both instance and prototype (webdriver lives on prototype)
             const desc = Object.getOwnPropertyDescriptor(navigator, prop)
@@ -1867,8 +2475,18 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             if (desc?.get) maskAsNative(desc.get, 'get ' + prop);
           });
 
-          // Mask window property getters
-          ['screenX', 'screenY', 'outerWidth', 'outerHeight'].forEach(prop => {
+          // Mask Notification.permission getter (static property, added this session).
+          if (typeof Notification !== 'undefined') {
+            const npDesc = Object.getOwnPropertyDescriptor(Notification, 'permission');
+            if (npDesc?.get) maskAsNative(npDesc.get, 'get permission');
+          }
+
+          // Mask screen.orientation getter (added this session).
+          const orientDesc = Object.getOwnPropertyDescriptor(window.screen, 'orientation');
+          if (orientDesc?.get) maskAsNative(orientDesc.get, 'get orientation');
+
+          // Mask window property getters — screenLeft/Top added this session.
+          ['screenX', 'screenY', 'screenLeft', 'screenTop', 'outerWidth', 'outerHeight'].forEach(prop => {
             const desc = Object.getOwnPropertyDescriptor(window, prop);
             if (desc?.get) maskAsNative(desc.get, 'get ' + prop);
           });
@@ -2053,19 +2671,22 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       // Platform, memory, and hardware spoofing combined for better V8 optimization
       // (moved into navigatorProps above);
 
-      const connectionInfo = {
-        effectiveType: ['slow-2g', '2g', '3g', '4g'][Math.floor(Math.random() * 4)],
-        type: Math.random() > 0.5 ? 'cellular' : 'wifi',
-        saveData: Math.random() > 0.8,
-        downlink: 1.5 + Math.random() * 8,
-        rtt: 50 + Math.random() * 200
-      };
+      // navigator.connection spoof DELETED -- was dead code.
+      // The UA-spoof block (applyUserAgentSpoofing's eOND, ~line 1452)
+      // already defines navigator.connection earlier in the eOND
+      // registration order, with Object.defineProperty (default
+      // configurable: false). The previous re-spoof here used
+      // safeDefinePropertyLocal which has an `existing?.configurable
+      // === false` guard, so it silently failed every time the UA spoof
+      // ran. Net effect: per-navigation random connection values
+      // generated here NEVER reached navigator.connection -- the
+      // hardcoded '4g'/wifi/50/10 from the UA block always won.
+      // Removing this block has zero behavioural change in the typical
+      // (UA + fingerprint_protection) case, and makes the code's actual
+      // behaviour match what reading it would suggest. Per-domain
+      // realistic-randomization of connection is a future improvement;
+      // do it ONCE in the UA-spoof block, not twice with one of them dead.
 
-      // Connection type spoofing
-      safeDefinePropertyLocal(navigator, 'connection', {
-        get: () => connectionInfo
-      });
-      
       // Screen properties spoofing
       const screenSpoofProps = {};
       ['width', 'height', 'availWidth', 'availHeight', 'colorDepth', 'pixelDepth'].forEach(prop => {