@fanboynz/network-scanner 3.0.3 → 3.1.0

package/lib/fingerprint.js

@@ -28,13 +28,24 @@ const FINGERPRINT_CACHE_MAX = 500;
 
 // User agent collections with latest versions
 const USER_AGENT_COLLECTIONS = Object.freeze(new Map([
-  ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['chrome_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['chrome_linux', "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['firefox', "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['firefox_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['firefox_linux', "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['safari', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Safari/605.1.15"]
+  // Chrome version uses the reduced 'X.0.0.0' privacy-preserving form (per
+  // Chrome's UA reduction since v101). The full build (148.0.7778.179) is
+  // not exposed via UA in modern Chrome — UA-Client-Hints carries that
+  // separately. User confirmed Chrome 148 stable as of late May 2026.
+  ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  ['chrome_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  ['chrome_linux', "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  // Firefox 151 stable (user-confirmed: 151.0.2). UA convention is to use
+  // major.minor for both rv: and Firefox/ — patch level is not customary
+  // in the UA string and matches existing nwss style.
+  ['firefox', "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  ['firefox_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  ['firefox_linux', "Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  // Safari 19.5 estimated current stable as of late May 2026 (macOS Tahoe).
+  // Not user-confirmed; adjust if a more recent Safari version is verified.
+  // The Version/X.Y prefix is what fingerprinters key off; Safari/605.1.15
+  // is the long-stable WebKit version string (~unchanged since Safari 17).
+  ['safari', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/19.5 Safari/605.1.15"]
 ]));
 
 // GPU pool — realistic vendor/renderer combos per OS (used for WebGL spoofing)
@@ -590,7 +601,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 // consistent number. Was hardcoded "146.0.0.0" which lied
                 // any time the UA was rotated to a different Chrome major.
                 const m = userAgent.match(/Chrome\/(\d+)/);
-                const major = m ? m[1] : '146';
+                const major = m ? m[1] : '148';
                 return {
                   name: "Chrome",
                   version: `${major}.0.0.0`,
@@ -906,8 +917,15 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 platformVersion: platformVersion,
                 fullVersionList: [
                   { brand: 'Not:A-Brand', version: '99.0.0.0' },
-                  { brand: 'Google Chrome', version: majorVersion + '.0.7632.160' },
-                  { brand: 'Chromium', version: majorVersion + '.0.7632.160' }
+                  // Build number 7778.179 matches real Chrome 148 stable
+                  // (per user-confirmed installed version as of late May 2026).
+                  // Prior 7632.160 was Chrome 145's build — outdated for 148.
+                  // If Chrome major bumps in future, update this build number
+                  // too — fullVersionList being inconsistent with the major
+                  // version is a fingerprint-detection signal (a real Chrome
+                  // 148 install would never report a 7632.x build).
+                  { brand: 'Google Chrome', version: majorVersion + '.0.7778.179' },
+                  { brand: 'Chromium', version: majorVersion + '.0.7778.179' }
                 ]
               };
               // Only return requested hints
@@ -1390,7 +1408,20 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           // simulation (interact / ghost-cursor) both should be true; we
           // default to true so a site checking before our synthetic
           // gestures fire still sees a 'user activated' page.
-          if (navigator && !navigator.userActivation) {
+          //
+          // ALWAYS override — the prior guard `if (!navigator.userActivation)`
+          // meant this code only fired when the property was missing.
+          // But navigator.userActivation has existed in Chrome since
+          // version 88 (Jan 2021) — modern Chrome (the UA we spoof)
+          // always has it natively. The guard therefore prevented the
+          // spoof from ever firing in normal use; real headless Chrome's
+          // hasBeenActive=false / isActive=false leaked through, an
+          // easy bot signal that many modern detectors check
+          // (DataDome, PerimeterX, the AdsCore-integrated popunder
+          // loaders like blazyload.min.js which probe userActivation 6×
+          // to gate window.open). Drop the guard so we always shadow
+          // the prototype-level getter with our true/true values.
+          if (navigator) {
             try {
               const userActivation = {
                 hasBeenActive: true,
@@ -1455,17 +1486,80 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         // `navigator.connection === navigator.connection`; previously
         // the getter returned a new object on every read, which a
         // tracker could detect by comparing references.
+        //
+        // Per-domain seeded values (FNV-1a hash of hostname): hardcoded
+        // '4g/wifi/50/10' across every site was a cross-publisher
+        // tracking axis -- a fingerprinter aggregating across N sites
+        // running the same script saw identical connection values
+        // everywhere, useful as a stable identity signal. Domain-seeding
+        // breaks that while keeping values stable per-domain (real
+        // navigator.connection IS stable per-session; per-navigation
+        // randomness would be its own anomaly). Same pattern as the
+        // Battery API fix in c1affe4.
         safeExecute(() => {
           if (!navigator.connection) {
+            let h = 0x811c9dc5;
+            const domain = (window.location && window.location.hostname) || '';
+            for (let i = 0; i < domain.length; i++) {
+              h = ((h ^ domain.charCodeAt(i)) * 0x01000193) >>> 0;
+            }
+            // 4g 75%, 3g 18%, 2g 5%, slow-2g 2% — distribution biased
+            // toward modern broadband since most page loads happen there.
+            const etRoll = (h >>> 4) % 100;
+            const effectiveType = etRoll < 75 ? '4g'
+                                : etRoll < 93 ? '3g'
+                                : etRoll < 98 ? '2g'
+                                : 'slow-2g';
+            // rtt + downlink MUST correlate with effectiveType — the
+            // W3C Network Information API defines effectiveType as a
+            // CLASSIFICATION of rtt/downlink ranges, so producing
+            // slow-2g with 32.5 Mbps downlink (as the prior uncorrelated
+            // version did) is physically impossible in real Chrome. A
+            // detector cross-checking effectiveType against rtt/downlink
+            // magnitudes catches that trivially. Ranges below match the
+            // spec's boundaries:
+            //   slow-2g: rtt > 2000ms, downlink < 0.05 Mbps
+            //   2g:      rtt > 1400ms, downlink < 0.07 Mbps
+            //   3g:      rtt > 270ms,  downlink < 0.7 Mbps
+            //   4g:      rtt < 270ms,  downlink >= 0.7 Mbps
+            const rttRange = effectiveType === '4g'      ? [25, 250]
+                           : effectiveType === '3g'      ? [275, 1400]
+                           : effectiveType === '2g'      ? [1425, 2000]
+                           : /* slow-2g */                 [2025, 5000];
+            const dlRange  = effectiveType === '4g'      ? [1.0, 50.0]
+                           : effectiveType === '3g'      ? [0.1, 0.7]
+                           : effectiveType === '2g'      ? [0.05, 0.07]
+                           : /* slow-2g */                 [0.01, 0.05];
+            // 25ms-bucketed rtt (Chrome's privacy rounding granularity)
+            const rttRaw = rttRange[0] + (((h >>> 8) % 1000) / 1000) * (rttRange[1] - rttRange[0]);
+            const rtt = Math.round(rttRaw / 25) * 25;
+            // 0.025-precision downlink (Chrome's privacy rounding)
+            const dlRaw = dlRange[0] + (((h >>> 16) % 1000) / 1000) * (dlRange[1] - dlRange[0]);
+            const downlink = Math.round(dlRaw * 40) / 40;
+            // saveData ~5% — most users don't enable Data Saver
+            const saveData = ((h >>> 24) & 0xff) < 13;
+            // NetworkInformation extends EventTarget — real Chrome has
+            // dispatchEvent in addition to add/removeEventListener.
+            // Returning true per the EventTarget spec for the
+            // no-listeners case (no preventDefault called).
             const connectionInfoStable = {
-              effectiveType: '4g',
-              rtt: 50,
-              downlink: 10,
-              saveData: false,
-              type: 'wifi',
+              effectiveType,
+              rtt,
+              downlink,
+              saveData,
               addEventListener: () => {},
-              removeEventListener: () => {}
+              removeEventListener: () => {},
+              dispatchEvent: () => true
             };
+            // NetworkInformation.type is DEPRECATED and only exposed on
+            // mobile Chrome. On desktop Chrome (Windows/Mac/Linux) it's
+            // not present — `'type' in navigator.connection` returns
+            // false. Only include it when spoofing a mobile UA, else
+            // its presence is a fingerprint tell against the desktop
+            // platform our UA collection currently advertises.
+            if (/Android|iPhone|iPad|iPod|Mobile/i.test(userAgent || '')) {
+              connectionInfoStable.type = ((h >>> 12) % 10) < 7 ? 'wifi' : 'cellular';
+            }
             Object.defineProperty(navigator, 'connection', {
               get: () => connectionInfoStable
             });
@@ -1501,29 +1595,140 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'speechSynthesis spoofing');
 
-        // AudioContext — headless has distinct audio processing fingerprint
+        // AudioContext fingerprint spoofing — intercept the actual READ
+        // surface fingerprinters care about.
+        //
+        // Previous spoof modified default frequency / threshold values on
+        // OscillatorNode / DynamicsCompressor at create time. That was
+        // essentially useless: real audio fingerprinters do
+        //   const osc = ctx.createOscillator();
+        //   osc.frequency.value = 1000;  // ← OVERWRITES our noise
+        //   ... render ... ctx.startRendering().then(buf => hash(buf.getChannelData(0)));
+        // The noise we put on the default 440 Hz was blown away the
+        // moment the probe set its own value, and never affected the
+        // rendered output the fingerprinter actually hashes.
+        //
+        // Correct attack surface: AudioBuffer.prototype.getChannelData.
+        // EVERY audio fingerprinter ends up reading the rendered buffer
+        // via this method (it's the only way to get Float32Array data
+        // out). Wrap it at the prototype so all AudioBuffers (from
+        // OfflineAudioContext.startRendering, from AudioBufferSourceNode,
+        // from decodeAudioData, etc.) get the same treatment.
+        //
+        // Noise design:
+        //   - sparse (every 100th sample) so audio remains perceptually
+        //     identical if actually played
+        //   - tiny magnitude (±0.00005) so the hash differs but the wave
+        //     shape doesn't
+        //   - deterministic per session (audioSeed) so repeated renders
+        //     of the same audio produce the same noised output
+        //   - per-(buffer, channel) idempotency via WeakMap: calling
+        //     getChannelData(0) twice on the same buffer returns the
+        //     same data (real Chrome's getChannelData returns a stable
+        //     Float32Array view; double-noising on second call would be
+        //     detectable)
         safeExecute(() => {
-          if (window.AudioContext || window.webkitAudioContext) {
-            const OrigAudioContext = window.AudioContext || window.webkitAudioContext;
-            const origCreateOscillator = OrigAudioContext.prototype.createOscillator;
-            const origCreateDynamicsCompressor = OrigAudioContext.prototype.createDynamicsCompressor;
-            
-            // Inject deterministic noise into audio output — consistent per session
-            const audioNoiseSeed = Math.random() * 0.01 - 0.005;
-            const compNoiseSeed = Math.random() * 0.1 - 0.05;
-            
-            OrigAudioContext.prototype.createOscillator = function() {
-              const osc = origCreateOscillator.call(this);
-              const origFreq = osc.frequency.value;
-              osc.frequency.value = origFreq + audioNoiseSeed;
-              return osc;
+          if (typeof AudioBuffer === 'undefined' || !AudioBuffer.prototype || typeof AudioBuffer.prototype.getChannelData !== 'function') return;
+
+          const audioSeed = Math.floor(Math.random() * 2147483647);
+          const noisedChannels = new WeakMap(); // buffer -> Set<channel>
+
+          // Shared noise function so getChannelData and copyFromChannel
+          // produce noise at the SAME source-channel positions
+          // (mod 100). A detector comparing a value from one method
+          // against the same source position read via the other method
+          // sees consistent noised values — no cross-method anomaly.
+          const noiseAt = (channel, srcIdx) => {
+            const n = ((audioSeed ^ srcIdx ^ (channel * 31)) * 1103515245 + 12345) & 0x7fffffff;
+            return (n / 0x7fffffff) * 0.0001 - 0.00005;
+          };
+
+          const origGetChannelData = AudioBuffer.prototype.getChannelData;
+          const wrappedGetChannelData = function(channel) {
+            const data = origGetChannelData.call(this, channel);
+            // Cap large buffers — per-sample loop on multi-MB Float32Arrays
+            // is too slow. 1M samples ≈ 22.6s of 44.1kHz mono audio; way
+            // beyond what fingerprinters use (typically 44k = 1s).
+            if (data.length > 1000000) return data;
+
+            let channelSet = noisedChannels.get(this);
+            if (!channelSet) {
+              channelSet = new Set();
+              noisedChannels.set(this, channelSet);
+            }
+            if (!channelSet.has(channel)) {
+              for (let i = 0; i < data.length; i += 100) {
+                data[i] = Math.max(-1, Math.min(1, data[i] + noiseAt(channel, i)));
+              }
+              channelSet.add(channel);
+            }
+            return data;
+          };
+          maskAsNative(wrappedGetChannelData, 'getChannelData');
+          AudioBuffer.prototype.getChannelData = wrappedGetChannelData;
+
+          // copyFromChannel — alternative read API. Without wrapping it,
+          // a fingerprinter calling `buffer.copyFromChannel(dest, 0, 0)`
+          // instead of `buffer.getChannelData(0)` gets the unmodified
+          // canonical Chrome data, fully bypassing our getChannelData
+          // noise. Same defense logic applied here; noise aligned by
+          // SOURCE channel position (startInChannel + destination
+          // offset) so cross-method consistency holds.
+          if (typeof AudioBuffer.prototype.copyFromChannel === 'function') {
+            const origCopyFromChannel = AudioBuffer.prototype.copyFromChannel;
+            const wrappedCopyFromChannel = function(destination, channelNumber, startInChannel) {
+              origCopyFromChannel.call(this, destination, channelNumber, startInChannel);
+              if (!destination || destination.length > 1000000) return;
+              // If getChannelData has ALREADY noised this (buffer,
+              // channel) in-place, origCopyFromChannel just copied the
+              // already-noised data into `destination`. Adding our own
+              // noise on top would produce 2× noise -- detectable via
+              // cross-method consistency probes
+              // (data[i] === dest[i] should hold). Skip when previously
+              // noised.
+              const channelSet = noisedChannels.get(this);
+              if (channelSet && channelSet.has(channelNumber)) return;
+              const startSrc = startInChannel || 0;
+              // Align noise positions to the same mod-100 source-channel
+              // grid getChannelData uses. firstNoisedSrc is the smallest
+              // multiple of 100 >= startSrc; map back to destination index.
+              const firstNoisedSrc = Math.ceil(startSrc / 100) * 100;
+              const firstNoisedDest = firstNoisedSrc - startSrc;
+              for (let destI = firstNoisedDest; destI < destination.length; destI += 100) {
+                const srcIdx = startSrc + destI;
+                destination[destI] = Math.max(-1, Math.min(1, destination[destI] + noiseAt(channelNumber, srcIdx)));
+              }
             };
-            OrigAudioContext.prototype.createDynamicsCompressor = function() {
-              const comp = origCreateDynamicsCompressor.call(this);
-              const origThreshold = comp.threshold.value;
-              comp.threshold.value = origThreshold + compNoiseSeed;
-              return comp;
+            maskAsNative(wrappedCopyFromChannel, 'copyFromChannel');
+            AudioBuffer.prototype.copyFromChannel = wrappedCopyFromChannel;
+          }
+
+          // copyToChannel — page WRITES to the buffer, overwriting any
+          // existing contents (including our in-place noise from a prior
+          // getChannelData call). Without this wrap, the noisedChannels
+          // flag remained set but the underlying data was fresh -- next
+          // getChannelData would SKIP noise (channelSet.has(ch) === true)
+          // and return the page's probe pattern unnoised. A fingerprinter
+          // priming the buffer with a known pattern then re-reading via
+          // getChannelData would see the canonical (unspoofed) values,
+          // confirming our spoof isn't actually noising.
+          // Fix: clear the noisedChannels flag for the written channel
+          // before forwarding the write, so the next read re-noises.
+          if (typeof AudioBuffer.prototype.copyToChannel === 'function') {
+            const origCopyToChannel = AudioBuffer.prototype.copyToChannel;
+            const wrappedCopyToChannel = function(source, channelNumber, startInChannel) {
+              // Forward FIRST. If the original throws (invalid args,
+              // detached buffer, etc.) the buffer is unchanged and we
+              // must NOT clear the noisedChannels flag — otherwise the
+              // next getChannelData would re-noise already-noised data,
+              // stacking 2x noise that drifts on subsequent reads.
+              const result = origCopyToChannel.call(this, source, channelNumber, startInChannel);
+              const channelSet = noisedChannels.get(this);
+              if (channelSet) channelSet.delete(channelNumber);
+              return result;
             };
+            maskAsNative(wrappedCopyToChannel, 'copyToChannel');
+            AudioBuffer.prototype.copyToChannel = wrappedCopyToChannel;
           }
         }, 'AudioContext fingerprint spoofing');
 
@@ -1846,6 +2051,109 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           };
         }, 'performance timing obfuscation');
 
+        // PerformanceNavigationTiming jitter — wrap entries returned by
+        // performance.getEntriesByType('navigation') with a Proxy that adds
+        // ±0.5ms jitter to each timing field. Headless Chrome's navigation
+        // timings are suspiciously deterministic (no UI competing for the
+        // main thread, no GC stalls from background rendering); adding
+        // small jitter makes the per-phase durations look human-like.
+        // Probed by some ad-network fingerprinters (e.g. ct.captcha-delivery,
+        // popunder loaders sampling for fraud heuristics) as a 'robotic
+        // timing' signal. Per-entry jitter offsets cached via WeakMap so
+        // repeated reads on the same entry stay consistent (real navigation
+        // timing values are stable per navigation).
+        //
+        // Scope: navigation entries only. 'resource' entries (per-subresource
+        // timing) and PerformanceObserver-delivered entries are NOT wrapped
+        // — significant additional complexity for marginal gain since
+        // typical fingerprinters check only navigation timing.
+        safeExecute(() => {
+          if (typeof performance === 'undefined' || typeof performance.getEntriesByType !== 'function') return;
+
+          const TIMING_FIELDS = new Set([
+            'fetchStart', 'startTime', 'duration', 'redirectStart', 'redirectEnd',
+            'workerStart',  // service-worker startup timing (was missing — partial-coverage tell)
+            'domainLookupStart', 'domainLookupEnd',
+            'connectStart', 'connectEnd', 'secureConnectionStart',
+            'requestStart', 'responseStart', 'responseEnd',
+            'domInteractive', 'domContentLoadedEventStart', 'domContentLoadedEventEnd',
+            'domComplete', 'loadEventStart', 'loadEventEnd'
+          ]);
+          const wrappedEntries = new WeakMap();
+
+          const wrapEntry = (entry) => {
+            if (entry == null || typeof entry !== 'object') return entry;
+            const cached = wrappedEntries.get(entry);
+            if (cached) return cached.proxy;
+
+            // Per-(entry, field) jitter cache so repeated reads of the
+            // same timing field return the SAME jittered value (real
+            // PerformanceNavigationTiming values are immutable per
+            // navigation; jitter-noise on every read would be detectable
+            // as anomalous). Don't jitter 0 -- those mean 'event never
+            // occurred' (e.g. secureConnectionStart=0 for non-HTTPS);
+            // adding noise would invent a connection that didn't happen.
+            const jitterCache = new Map();
+            const getJittered = (field, value) => {
+              if (typeof value !== 'number' || value === 0) return value;
+              let v = jitterCache.get(field);
+              if (v === undefined) {
+                v = value + (Math.random() - 0.5); // ±0.5ms
+                jitterCache.set(field, v);
+              }
+              return v;
+            };
+
+            // Per-property bound-method cache so accessing the same method
+            // twice returns the same function identity (`p.toJSON === p.toJSON`
+            // is true on real Chrome; without caching, Proxy returns a new
+            // bound function every access — strict-equality probes catch us).
+            // Bound methods also maskAsNative'd so their .toString() reports
+            // '[native code]' rather than the bound-fn source.
+            const methodCache = new Map();
+
+            const proxy = new Proxy(entry, {
+              get(target, prop) {
+                const value = target[prop];
+                if (TIMING_FIELDS.has(prop)) return getJittered(prop, value);
+                if (typeof value === 'function') {
+                  let m = methodCache.get(prop);
+                  if (m === undefined) {
+                    if (prop === 'toJSON') {
+                      // toJSON drives JSON.stringify; apply same per-field
+                      // jitter cache to the serialised object so direct-read
+                      // and JSON-roundtrip yield identical values.
+                      m = function() {
+                        const json = value.call(target);
+                        for (const f of TIMING_FIELDS) {
+                          if (f in json) json[f] = getJittered(f, json[f]);
+                        }
+                        return json;
+                      };
+                    } else {
+                      m = value.bind(target);
+                    }
+                    maskAsNative(m, prop);
+                    methodCache.set(prop, m);
+                  }
+                  return m;
+                }
+                return value;
+              }
+            });
+            wrappedEntries.set(entry, { proxy, jitterCache, methodCache });
+            return proxy;
+          };
+
+          const origGetByType = performance.getEntriesByType;
+          performance.getEntriesByType = function(type) {
+            const entries = origGetByType.call(this, type);
+            if (type === 'navigation') return entries.map(wrapEntry);
+            return entries;
+          };
+          maskAsNative(performance.getEntriesByType, 'getEntriesByType');
+        }, 'PerformanceNavigationTiming jitter');
+
         // Canvas fingerprinting protection
         //
         safeExecute(() => {
@@ -1922,13 +2230,36 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
 
         // Battery API spoofing
         //
+        // Previously: `Math.random()` for every field, fired on every
+        // evaluateOnNewDocument injection (i.e. every page load). Battery
+        // 'level' jumping from 0.42 to 0.87 to 0.31 across navigations on
+        // the same site is anomalous -- real battery state changes slowly
+        // (minutes, not seconds). Detector noting battery delta across
+        // reloads catches us.
+        //
+        // Now: FNV-1a hash of window.location.hostname seeds all four
+        // fields. Stable per-domain across navigations; varies across
+        // sites (so cross-publisher correlation isn't trivial via this
+        // signal). Also corrects two real-Chrome invariants the old
+        // spoof violated:
+        //   - charging=true  -> chargingTime finite, dischargingTime = Infinity
+        //   - charging=false -> chargingTime = Infinity, dischargingTime finite
+        // The old spoof could produce 'both finite' which never happens
+        // in real Chrome.
         safeExecute(() => {
           if (navigator.getBattery) {
+            // FNV-1a 32-bit hash of the hostname -- cheap, deterministic.
+            let h = 0x811c9dc5;
+            const domain = (window.location && window.location.hostname) || '';
+            for (let i = 0; i < domain.length; i++) {
+              h = ((h ^ domain.charCodeAt(i)) * 0x01000193) >>> 0;
+            }
+            const charging = (h & 1) === 1;
             const batteryState = {
-              charging: Math.random() > 0.5,
-              chargingTime: Math.random() > 0.5 ? Infinity : Math.floor(Math.random() * 3600),
-              dischargingTime: Math.floor(Math.random() * 7200),
-              level: Math.round((Math.random() * 0.7 + 0.25) * 100) / 100,
+              charging,
+              chargingTime: charging ? (((h >>> 4) % 3540) + 60) : Infinity,        // 60..3600s when charging
+              dischargingTime: charging ? Infinity : (((h >>> 8) % 6600) + 600),    // 600..7200s when on battery
+              level: Math.round((((h >>> 16) % 70) + 25)) / 100,                    // 0.25..0.94, 2-decimal precision
               addEventListener: () => {},
               removeEventListener: () => {},
               dispatchEvent: () => true
@@ -1942,10 +2273,20 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         // Enhanced Mouse/Pointer Spoofing
         //
         safeExecute(() => {
-          // Spoof pointer capabilities
-          const spoofedTouchPoints = Math.random() > 0.7 ? 0 : Math.floor(Math.random() * 5) + 1;
+          // Spoof pointer capabilities — UA-consistent. Previous code did
+          //   Math.random() > 0.7 ? 0 : Math.floor(Math.random() * 5) + 1
+          // which randomly told the page 'this Windows Chrome has 3 touch
+          // points' -- a fingerprinter cross-checking userAgent against
+          // maxTouchPoints catches the invariant violation:
+          //   Windows/Mac/Linux Chrome   -> maxTouchPoints = 0
+          //   iOS Safari, Android Chrome -> maxTouchPoints = 5 (typical)
+          //   Touch-laptop hybrid        -> maxTouchPoints = 10 (rare)
+          // Use the spoofed UA (userAgent variable in this closure) to
+          // pick the right value. Mobile UAs get 5; desktop UAs get 0.
+          const isMobileUA = /Android|iPhone|iPad|iPod|Mobile/i.test(userAgent || '');
+          const spoofedTouchPoints = isMobileUA ? 5 : 0;
           if (navigator.maxTouchPoints !== undefined) {
-            safeDefinePropertyLocal(navigator, 'maxTouchPoints', { 
+            safeDefinePropertyLocal(navigator, 'maxTouchPoints', {
               get: () => spoofedTouchPoints
             });
           }
@@ -2067,21 +2408,24 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
 
         }, 'console error suppression');
         
-        // Hide source URL indicators (data: URLs reveal script injection)
-        safeExecute(() => {
-          const originalLocation = window.location;
-          Object.defineProperty(window, 'location', {
-            value: new Proxy(originalLocation, {
-              get: function(target, prop) {
-                if (prop === 'href' && target[prop] && target[prop].includes('data:')) {
-                  return 'about:blank';
-                }
-                return target[prop];
-              }
-            }),
-            configurable: false
-          });
-        }, 'location URL masking');
+        // NOTE: The previous `location URL masking` Proxy was removed.
+        // It wrapped window.location in a Proxy to return 'about:blank' when
+        // location.href.includes('data:') — a bookmarklet/extension-injection
+        // hider. nwss.js always navigates to real http(s) URLs via page.goto(),
+        // so location.href never contains 'data:' and the spoof was dead code
+        // for every real scan path. Costs it imposed before removal:
+        //   - `configurable: false` on window.location blocked page-side
+        //     navigation guards (Cloudflare rocket-loader, ad-script location
+        //     manipulation, popunder teardown) from redefining window.location.
+        //   - Proxy boundary visible via Object.getOwnPropertyDescriptor
+        //     (Proxy's value-as-non-spec-shape is a detectable surface).
+        //   - Page-side Object.defineProperty(location, 'href', ...) calls
+        //     hit the Proxy first, then forwarded to a spec-non-configurable
+        //     property, throwing "Cannot redefine property: href" — log noise
+        //     and a contributor to post-popup browser-unresponsive states on
+        //     popunder sites (eztv1.xyz scan reproduced this).
+        // If a future use case actually loads via data: URL, reintroduce as a
+        // get-trap-only Proxy with configurable:true so pages can override.
 
         // Bulk-mask all spoofed prototype methods so toString() returns "[native code]"
         // Must run AFTER all overrides are applied
@@ -2327,19 +2671,22 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       // Platform, memory, and hardware spoofing combined for better V8 optimization
       // (moved into navigatorProps above);
 
-      const connectionInfo = {
-        effectiveType: ['slow-2g', '2g', '3g', '4g'][Math.floor(Math.random() * 4)],
-        type: Math.random() > 0.5 ? 'cellular' : 'wifi',
-        saveData: Math.random() > 0.8,
-        downlink: 1.5 + Math.random() * 8,
-        rtt: 50 + Math.random() * 200
-      };
+      // navigator.connection spoof DELETED -- was dead code.
+      // The UA-spoof block (applyUserAgentSpoofing's eOND, ~line 1452)
+      // already defines navigator.connection earlier in the eOND
+      // registration order, with Object.defineProperty (default
+      // configurable: false). The previous re-spoof here used
+      // safeDefinePropertyLocal which has an `existing?.configurable
+      // === false` guard, so it silently failed every time the UA spoof
+      // ran. Net effect: per-navigation random connection values
+      // generated here NEVER reached navigator.connection -- the
+      // hardcoded '4g'/wifi/50/10 from the UA block always won.
+      // Removing this block has zero behavioural change in the typical
+      // (UA + fingerprint_protection) case, and makes the code's actual
+      // behaviour match what reading it would suggest. Per-domain
+      // realistic-randomization of connection is a future improvement;
+      // do it ONCE in the UA-spoof block, not twice with one of them dead.
 
-      // Connection type spoofing
-      safeDefinePropertyLocal(navigator, 'connection', {
-        get: () => connectionInfo
-      });
-      
       // Screen properties spoofing
       const screenSpoofProps = {};
       ['width', 'height', 'availWidth', 'availHeight', 'colorDepth', 'pixelDepth'].forEach(prop => {