@fanboynz/network-scanner 3.0.3 → 3.1.2

package/lib/fingerprint.js

@@ -26,15 +26,57 @@ function seededRandom(seed) {
 const _fingerprintCache = new Map();
 const FINGERPRINT_CACHE_MAX = 500;
 
+// The build portion of the Chrome full version (major.0.BUILD). The reduced
+// UA string deliberately hides this (Chrome/148.0.0.0), but the full-version
+// Client Hints — Sec-CH-UA-Full-Version, -Full-Version-List, and
+// userAgentData.getHighEntropyValues(['fullVersionList','uaFullVersion']) —
+// expose the REAL build. Single source of truth so the HTTP headers (set in
+// nwss.js, which imports this) and the JS high-entropy spoof can't disagree;
+// a server cross-checking the two would catch a mismatch. The major comes
+// from the UA string at each call site, so on a Chrome bump update BOTH the
+// USER_AGENT_COLLECTIONS major AND this build.
+//
+// We deliberately spoof the current STABLE Chrome (148), NOT whatever build
+// puppeteer happens to bundle (currently 149, ahead of Stable) — the spoof
+// must blend with the real-world population, and almost nobody runs 149 yet.
+// 7778.217 is a real 148 Stable build (verified against a live Chrome 148
+// desktop). The bundled 149 binary still works; only the claimed identity is
+// pinned to Stable.
+const CHROME_BUILD = '7778.217';
+
+// Chrome's UA-CH GREASE brand. Despite the name, GREASE is NOT random per
+// request — Chromium derives the greasy brand string AND the brand-list order
+// deterministically from the major version, so every real Chrome 148 emits the
+// exact same Sec-CH-UA. Anti-bot detectors exploit this: a spoofer that uses a
+// stale/wrong grease ("Not:A-Brand" instead of 148's "Not/A)Brand") or the
+// wrong order is instantly flagged. Real Chrome 148 order is Chromium, Google
+// Chrome, <grease>. Both the string AND the order are version-coupled — update
+// alongside the major when bumping (verify against a real Chrome of that major).
+const CHROME_GREASE_BRAND = 'Not/A)Brand';
+
 // User agent collections with latest versions
 const USER_AGENT_COLLECTIONS = Object.freeze(new Map([
-  ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['chrome_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['chrome_linux', "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36"],
-  ['firefox', "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['firefox_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['firefox_linux', "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"],
-  ['safari', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.6 Safari/605.1.15"]
+  // Chrome version uses the reduced 'X.0.0.0' privacy-preserving form (per
+  // Chrome's UA reduction since v101). The full build (148.0.7778.217) is
+  // not exposed via UA in modern Chrome — UA-Client-Hints carries that
+  // separately (see CHROME_BUILD). Pinned to the current STABLE major (148),
+  // which is what the real-world population runs — NOT the newer build
+  // puppeteer bundles; we want to blend in, not advertise an ahead-of-Stable
+  // version. Bump when Stable advances, alongside CHROME_BUILD.
+  ['chrome', "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  ['chrome_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  ['chrome_linux', "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/148.0.0.0 Safari/537.36"],
+  // Firefox 151 stable (user-confirmed: 151.0.2). UA convention is to use
+  // major.minor for both rv: and Firefox/ — patch level is not customary
+  // in the UA string and matches existing nwss style.
+  ['firefox', "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  ['firefox_mac', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  ['firefox_linux', "Mozilla/5.0 (X11; Linux x86_64; rv:151.0) Gecko/20100101 Firefox/151.0"],
+  // Safari 19.5 estimated current stable as of late May 2026 (macOS Tahoe).
+  // Not user-confirmed; adjust if a more recent Safari version is verified.
+  // The Version/X.Y prefix is what fingerprinters key off; Safari/605.1.15
+  // is the long-stable WebKit version string (~unchanged since Safari 17).
+  ['safari', "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/19.5 Safari/605.1.15"]
 ]));
 
 // GPU pool — realistic vendor/renderer combos per OS (used for WebGL spoofing)
@@ -166,7 +208,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
   // Generate OS-appropriate hardware specs
   const profiles = {
     windows: {
-      deviceMemory: [8, 16], // Common Windows configurations
+      deviceMemory: [8], // caps at 8 (navigator.deviceMemory max); matches HTTP Sec-CH-Device-Memory on >=8GB hosts
       hardwareConcurrency: [4, 6, 8], // Typical consumer CPUs
       platform: 'Win32',
       timezone: 'America/New_York',
@@ -178,7 +220,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
       ]
     },
     mac: {
-      deviceMemory: [8, 16], // MacBook/iMac typical configs
+      deviceMemory: [8], // caps at 8 (see Windows profile note)
       hardwareConcurrency: [8, 10], // Apple Silicon M1/M2 cores
       platform: 'MacIntel',
       timezone: 'America/Los_Angeles',
@@ -190,7 +232,7 @@ function generateRealisticFingerprint(userAgent, domain = '') {
       ]
     },
     linux: {
-      deviceMemory: [8, 16],
+      deviceMemory: [8],
       hardwareConcurrency: [4, 8, 12], // Wide variety on Linux
       platform: 'Linux x86_64',
       timezone: 'America/New_York',
@@ -320,7 +362,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
       // same value regardless of which evaluate runs first.
       const realistic = generateRealisticFingerprint(ua, siteDomain);
 
-      await page.evaluateOnNewDocument((userAgent, debugEnabled, gpuConfig, seededCores) => {
+      await page.evaluateOnNewDocument((userAgent, debugEnabled, gpuConfig, seededCores, chromeBuild, chromeGrease) => {
       
         // Apply inline error suppression first
         (function() {
@@ -590,7 +632,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 // consistent number. Was hardcoded "146.0.0.0" which lied
                 // any time the UA was rotated to a different Chrome major.
                 const m = userAgent.match(/Chrome\/(\d+)/);
-                const major = m ? m[1] : '146';
+                const major = m ? m[1] : '148';
                 return {
                   name: "Chrome",
                   version: `${major}.0.0.0`,
@@ -868,13 +910,22 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           if (!userAgent.includes('Chrome/')) return; // Only for Chrome UAs
 
           const chromeMatch = userAgent.match(/Chrome\/(\d+)/);
-          const majorVersion = chromeMatch ? chromeMatch[1] : '145';
+          const majorVersion = chromeMatch ? chromeMatch[1] : '148';
 
           let platform = 'Windows';
-          let platformVersion = '15.0.0';
+          // 19.0.0 = current Windows 11 mapping (verified against a real
+          // Chrome 148 desktop; the old 15.0.0 was an older Win11 build).
+          // MUST match nwss.js's Sec-CH-UA-Platform-Version header.
+          let platformVersion = '19.0.0';
           let architecture = 'x86';
           let model = '';
           let bitness = '64';
+          // wow64 is true only for a 32-bit Chrome on 64-bit Windows. Our
+          // spoofed configs are all 64-bit (bitness '64'), so it's false on
+          // every platform — but the value must be PRESENT: the server's
+          // accept-ch requests sec-ch-ua-wow64 and trackers call
+          // getHighEntropyValues(['wow64']); an undefined return is a tell.
+          const wow64 = false;
           if (userAgent.includes('Macintosh') || userAgent.includes('Mac OS X')) {
             platform = 'macOS';
             platformVersion = '13.5.0';
@@ -885,10 +936,12 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             architecture = 'x86';
           }
 
+          // Order + grease must match real Chrome of this major exactly
+          // (deterministic GREASE): Chromium, Google Chrome, <grease>.
           const brands = [
-            { brand: 'Not:A-Brand', version: '99' },
+            { brand: 'Chromium', version: majorVersion },
             { brand: 'Google Chrome', version: majorVersion },
-            { brand: 'Chromium', version: majorVersion }
+            { brand: chromeGrease, version: '99' }
           ];
 
           const uaData = {
@@ -903,11 +956,20 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
                 architecture: architecture,
                 bitness: bitness,
                 model: model,
+                wow64: wow64,
+                // Real Chrome (128+) always exposes this for desktop. Omitting
+                // it returned undefined to any site requesting form-factors.
+                formFactors: ['Desktop'],
                 platformVersion: platformVersion,
+                // uaFullVersion (deprecated but still requested via
+                // sec-ch-ua-full-version) and fullVersionList both carry the
+                // real build, sourced from CHROME_BUILD (passed in as
+                // chromeBuild) so HTTP headers and JS can't drift apart.
+                uaFullVersion: majorVersion + '.0.' + chromeBuild,
                 fullVersionList: [
-                  { brand: 'Not:A-Brand', version: '99.0.0.0' },
-                  { brand: 'Google Chrome', version: majorVersion + '.0.7632.160' },
-                  { brand: 'Chromium', version: majorVersion + '.0.7632.160' }
+                  { brand: 'Chromium', version: majorVersion + '.0.' + chromeBuild },
+                  { brand: 'Google Chrome', version: majorVersion + '.0.' + chromeBuild },
+                  { brand: chromeGrease, version: '99.0.0.0' }
                 ]
               };
               // Only return requested hints
@@ -1390,7 +1452,20 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           // simulation (interact / ghost-cursor) both should be true; we
           // default to true so a site checking before our synthetic
           // gestures fire still sees a 'user activated' page.
-          if (navigator && !navigator.userActivation) {
+          //
+          // ALWAYS override — the prior guard `if (!navigator.userActivation)`
+          // meant this code only fired when the property was missing.
+          // But navigator.userActivation has existed in Chrome since
+          // version 88 (Jan 2021) — modern Chrome (the UA we spoof)
+          // always has it natively. The guard therefore prevented the
+          // spoof from ever firing in normal use; real headless Chrome's
+          // hasBeenActive=false / isActive=false leaked through, an
+          // easy bot signal that many modern detectors check
+          // (DataDome, PerimeterX, the AdsCore-integrated popunder
+          // loaders like blazyload.min.js which probe userActivation 6×
+          // to gate window.open). Drop the guard so we always shadow
+          // the prototype-level getter with our true/true values.
+          if (navigator) {
             try {
               const userActivation = {
                 hasBeenActive: true,
@@ -1455,17 +1530,80 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
         // `navigator.connection === navigator.connection`; previously
         // the getter returned a new object on every read, which a
         // tracker could detect by comparing references.
+        //
+        // Per-domain seeded values (FNV-1a hash of hostname): hardcoded
+        // '4g/wifi/50/10' across every site was a cross-publisher
+        // tracking axis -- a fingerprinter aggregating across N sites
+        // running the same script saw identical connection values
+        // everywhere, useful as a stable identity signal. Domain-seeding
+        // breaks that while keeping values stable per-domain (real
+        // navigator.connection IS stable per-session; per-navigation
+        // randomness would be its own anomaly). Same pattern as the
+        // Battery API fix in c1affe4.
         safeExecute(() => {
           if (!navigator.connection) {
+            let h = 0x811c9dc5;
+            const domain = (window.location && window.location.hostname) || '';
+            for (let i = 0; i < domain.length; i++) {
+              h = ((h ^ domain.charCodeAt(i)) * 0x01000193) >>> 0;
+            }
+            // 4g 75%, 3g 18%, 2g 5%, slow-2g 2% — distribution biased
+            // toward modern broadband since most page loads happen there.
+            const etRoll = (h >>> 4) % 100;
+            const effectiveType = etRoll < 75 ? '4g'
+                                : etRoll < 93 ? '3g'
+                                : etRoll < 98 ? '2g'
+                                : 'slow-2g';
+            // rtt + downlink MUST correlate with effectiveType — the
+            // W3C Network Information API defines effectiveType as a
+            // CLASSIFICATION of rtt/downlink ranges, so producing
+            // slow-2g with 32.5 Mbps downlink (as the prior uncorrelated
+            // version did) is physically impossible in real Chrome. A
+            // detector cross-checking effectiveType against rtt/downlink
+            // magnitudes catches that trivially. Ranges below match the
+            // spec's boundaries:
+            //   slow-2g: rtt > 2000ms, downlink < 0.05 Mbps
+            //   2g:      rtt > 1400ms, downlink < 0.07 Mbps
+            //   3g:      rtt > 270ms,  downlink < 0.7 Mbps
+            //   4g:      rtt < 270ms,  downlink >= 0.7 Mbps
+            const rttRange = effectiveType === '4g'      ? [25, 250]
+                           : effectiveType === '3g'      ? [275, 1400]
+                           : effectiveType === '2g'      ? [1425, 2000]
+                           : /* slow-2g */                 [2025, 5000];
+            const dlRange  = effectiveType === '4g'      ? [1.0, 50.0]
+                           : effectiveType === '3g'      ? [0.1, 0.7]
+                           : effectiveType === '2g'      ? [0.05, 0.07]
+                           : /* slow-2g */                 [0.01, 0.05];
+            // 25ms-bucketed rtt (Chrome's privacy rounding granularity)
+            const rttRaw = rttRange[0] + (((h >>> 8) % 1000) / 1000) * (rttRange[1] - rttRange[0]);
+            const rtt = Math.round(rttRaw / 25) * 25;
+            // 0.025-precision downlink (Chrome's privacy rounding)
+            const dlRaw = dlRange[0] + (((h >>> 16) % 1000) / 1000) * (dlRange[1] - dlRange[0]);
+            const downlink = Math.round(dlRaw * 40) / 40;
+            // saveData ~5% — most users don't enable Data Saver
+            const saveData = ((h >>> 24) & 0xff) < 13;
+            // NetworkInformation extends EventTarget — real Chrome has
+            // dispatchEvent in addition to add/removeEventListener.
+            // Returning true per the EventTarget spec for the
+            // no-listeners case (no preventDefault called).
             const connectionInfoStable = {
-              effectiveType: '4g',
-              rtt: 50,
-              downlink: 10,
-              saveData: false,
-              type: 'wifi',
+              effectiveType,
+              rtt,
+              downlink,
+              saveData,
               addEventListener: () => {},
-              removeEventListener: () => {}
+              removeEventListener: () => {},
+              dispatchEvent: () => true
             };
+            // NetworkInformation.type is DEPRECATED and only exposed on
+            // mobile Chrome. On desktop Chrome (Windows/Mac/Linux) it's
+            // not present — `'type' in navigator.connection` returns
+            // false. Only include it when spoofing a mobile UA, else
+            // its presence is a fingerprint tell against the desktop
+            // platform our UA collection currently advertises.
+            if (/Android|iPhone|iPad|iPod|Mobile/i.test(userAgent || '')) {
+              connectionInfoStable.type = ((h >>> 12) % 10) < 7 ? 'wifi' : 'cellular';
+            }
             Object.defineProperty(navigator, 'connection', {
               get: () => connectionInfoStable
             });
@@ -1481,49 +1619,146 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'pdfViewerEnabled spoofing');
 
-        // speechSynthesis — headless returns empty voices array
+        // (speechSynthesis voices are spoofed in a single, fuller block later
+        // in this evaluate — "speechSynthesis voices spoofing" — which installs
+        // the complete claimed-OS voice set with instanceof-correct objects. An
+        // earlier 2-voice fallback override lived here and was redundant: the
+        // later block replaced it unconditionally on every injection. Removed.)
+
+        // AudioContext fingerprint spoofing — intercept the actual READ
+        // surface fingerprinters care about.
+        //
+        // Previous spoof modified default frequency / threshold values on
+        // OscillatorNode / DynamicsCompressor at create time. That was
+        // essentially useless: real audio fingerprinters do
+        //   const osc = ctx.createOscillator();
+        //   osc.frequency.value = 1000;  // ← OVERWRITES our noise
+        //   ... render ... ctx.startRendering().then(buf => hash(buf.getChannelData(0)));
+        // The noise we put on the default 440 Hz was blown away the
+        // moment the probe set its own value, and never affected the
+        // rendered output the fingerprinter actually hashes.
+        //
+        // Correct attack surface: AudioBuffer.prototype.getChannelData.
+        // EVERY audio fingerprinter ends up reading the rendered buffer
+        // via this method (it's the only way to get Float32Array data
+        // out). Wrap it at the prototype so all AudioBuffers (from
+        // OfflineAudioContext.startRendering, from AudioBufferSourceNode,
+        // from decodeAudioData, etc.) get the same treatment.
+        //
+        // Noise design:
+        //   - sparse (every 100th sample) so audio remains perceptually
+        //     identical if actually played
+        //   - tiny magnitude (±0.00005) so the hash differs but the wave
+        //     shape doesn't
+        //   - deterministic per session (audioSeed) so repeated renders
+        //     of the same audio produce the same noised output
+        //   - per-(buffer, channel) idempotency via WeakMap: calling
+        //     getChannelData(0) twice on the same buffer returns the
+        //     same data (real Chrome's getChannelData returns a stable
+        //     Float32Array view; double-noising on second call would be
+        //     detectable)
         safeExecute(() => {
-          if (window.speechSynthesis) {
-            const origGetVoices = speechSynthesis.getVoices.bind(speechSynthesis);
-            speechSynthesis.getVoices = function() {
-              const voices = origGetVoices();
-              if (voices.length === 0) {
-                return [{
-                  default: true, lang: 'en-US', localService: true,
-                  name: 'Microsoft David - English (United States)', voiceURI: 'Microsoft David - English (United States)'
-                }, {
-                  default: false, lang: 'en-US', localService: true,
-                  name: 'Microsoft Zira - English (United States)', voiceURI: 'Microsoft Zira - English (United States)'
-                }];
+          if (typeof AudioBuffer === 'undefined' || !AudioBuffer.prototype || typeof AudioBuffer.prototype.getChannelData !== 'function') return;
+
+          const audioSeed = Math.floor(Math.random() * 2147483647);
+          const noisedChannels = new WeakMap(); // buffer -> Set<channel>
+
+          // Shared noise function so getChannelData and copyFromChannel
+          // produce noise at the SAME source-channel positions
+          // (mod 100). A detector comparing a value from one method
+          // against the same source position read via the other method
+          // sees consistent noised values — no cross-method anomaly.
+          const noiseAt = (channel, srcIdx) => {
+            const n = ((audioSeed ^ srcIdx ^ (channel * 31)) * 1103515245 + 12345) & 0x7fffffff;
+            return (n / 0x7fffffff) * 0.0001 - 0.00005;
+          };
+
+          const origGetChannelData = AudioBuffer.prototype.getChannelData;
+          const wrappedGetChannelData = function(channel) {
+            const data = origGetChannelData.call(this, channel);
+            // Cap large buffers — per-sample loop on multi-MB Float32Arrays
+            // is too slow. 1M samples ≈ 22.6s of 44.1kHz mono audio; way
+            // beyond what fingerprinters use (typically 44k = 1s).
+            if (data.length > 1000000) return data;
+
+            let channelSet = noisedChannels.get(this);
+            if (!channelSet) {
+              channelSet = new Set();
+              noisedChannels.set(this, channelSet);
+            }
+            if (!channelSet.has(channel)) {
+              for (let i = 0; i < data.length; i += 100) {
+                data[i] = Math.max(-1, Math.min(1, data[i] + noiseAt(channel, i)));
+              }
+              channelSet.add(channel);
+            }
+            return data;
+          };
+          maskAsNative(wrappedGetChannelData, 'getChannelData');
+          AudioBuffer.prototype.getChannelData = wrappedGetChannelData;
+
+          // copyFromChannel — alternative read API. Without wrapping it,
+          // a fingerprinter calling `buffer.copyFromChannel(dest, 0, 0)`
+          // instead of `buffer.getChannelData(0)` gets the unmodified
+          // canonical Chrome data, fully bypassing our getChannelData
+          // noise. Same defense logic applied here; noise aligned by
+          // SOURCE channel position (startInChannel + destination
+          // offset) so cross-method consistency holds.
+          if (typeof AudioBuffer.prototype.copyFromChannel === 'function') {
+            const origCopyFromChannel = AudioBuffer.prototype.copyFromChannel;
+            const wrappedCopyFromChannel = function(destination, channelNumber, startInChannel) {
+              origCopyFromChannel.call(this, destination, channelNumber, startInChannel);
+              if (!destination || destination.length > 1000000) return;
+              // If getChannelData has ALREADY noised this (buffer,
+              // channel) in-place, origCopyFromChannel just copied the
+              // already-noised data into `destination`. Adding our own
+              // noise on top would produce 2× noise -- detectable via
+              // cross-method consistency probes
+              // (data[i] === dest[i] should hold). Skip when previously
+              // noised.
+              const channelSet = noisedChannels.get(this);
+              if (channelSet && channelSet.has(channelNumber)) return;
+              const startSrc = startInChannel || 0;
+              // Align noise positions to the same mod-100 source-channel
+              // grid getChannelData uses. firstNoisedSrc is the smallest
+              // multiple of 100 >= startSrc; map back to destination index.
+              const firstNoisedSrc = Math.ceil(startSrc / 100) * 100;
+              const firstNoisedDest = firstNoisedSrc - startSrc;
+              for (let destI = firstNoisedDest; destI < destination.length; destI += 100) {
+                const srcIdx = startSrc + destI;
+                destination[destI] = Math.max(-1, Math.min(1, destination[destI] + noiseAt(channelNumber, srcIdx)));
               }
-              return voices;
             };
+            maskAsNative(wrappedCopyFromChannel, 'copyFromChannel');
+            AudioBuffer.prototype.copyFromChannel = wrappedCopyFromChannel;
           }
-        }, 'speechSynthesis spoofing');
 
-        // AudioContext — headless has distinct audio processing fingerprint
-        safeExecute(() => {
-          if (window.AudioContext || window.webkitAudioContext) {
-            const OrigAudioContext = window.AudioContext || window.webkitAudioContext;
-            const origCreateOscillator = OrigAudioContext.prototype.createOscillator;
-            const origCreateDynamicsCompressor = OrigAudioContext.prototype.createDynamicsCompressor;
-            
-            // Inject deterministic noise into audio output — consistent per session
-            const audioNoiseSeed = Math.random() * 0.01 - 0.005;
-            const compNoiseSeed = Math.random() * 0.1 - 0.05;
-            
-            OrigAudioContext.prototype.createOscillator = function() {
-              const osc = origCreateOscillator.call(this);
-              const origFreq = osc.frequency.value;
-              osc.frequency.value = origFreq + audioNoiseSeed;
-              return osc;
-            };
-            OrigAudioContext.prototype.createDynamicsCompressor = function() {
-              const comp = origCreateDynamicsCompressor.call(this);
-              const origThreshold = comp.threshold.value;
-              comp.threshold.value = origThreshold + compNoiseSeed;
-              return comp;
+          // copyToChannel — page WRITES to the buffer, overwriting any
+          // existing contents (including our in-place noise from a prior
+          // getChannelData call). Without this wrap, the noisedChannels
+          // flag remained set but the underlying data was fresh -- next
+          // getChannelData would SKIP noise (channelSet.has(ch) === true)
+          // and return the page's probe pattern unnoised. A fingerprinter
+          // priming the buffer with a known pattern then re-reading via
+          // getChannelData would see the canonical (unspoofed) values,
+          // confirming our spoof isn't actually noising.
+          // Fix: clear the noisedChannels flag for the written channel
+          // before forwarding the write, so the next read re-noises.
+          if (typeof AudioBuffer.prototype.copyToChannel === 'function') {
+            const origCopyToChannel = AudioBuffer.prototype.copyToChannel;
+            const wrappedCopyToChannel = function(source, channelNumber, startInChannel) {
+              // Forward FIRST. If the original throws (invalid args,
+              // detached buffer, etc.) the buffer is unchanged and we
+              // must NOT clear the noisedChannels flag — otherwise the
+              // next getChannelData would re-noise already-noised data,
+              // stacking 2x noise that drifts on subsequent reads.
+              const result = origCopyToChannel.call(this, source, channelNumber, startInChannel);
+              const channelSet = noisedChannels.get(this);
+              if (channelSet) channelSet.delete(channelNumber);
+              return result;
             };
+            maskAsNative(wrappedCopyToChannel, 'copyToChannel');
+            AudioBuffer.prototype.copyToChannel = wrappedCopyToChannel;
           }
         }, 'AudioContext fingerprint spoofing');
 
@@ -1846,6 +2081,109 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           };
         }, 'performance timing obfuscation');
 
+        // PerformanceNavigationTiming jitter — wrap entries returned by
+        // performance.getEntriesByType('navigation') with a Proxy that adds
+        // ±0.5ms jitter to each timing field. Headless Chrome's navigation
+        // timings are suspiciously deterministic (no UI competing for the
+        // main thread, no GC stalls from background rendering); adding
+        // small jitter makes the per-phase durations look human-like.
+        // Probed by some ad-network fingerprinters (e.g. ct.captcha-delivery,
+        // popunder loaders sampling for fraud heuristics) as a 'robotic
+        // timing' signal. Per-entry jitter offsets cached via WeakMap so
+        // repeated reads on the same entry stay consistent (real navigation
+        // timing values are stable per navigation).
+        //
+        // Scope: navigation entries only. 'resource' entries (per-subresource
+        // timing) and PerformanceObserver-delivered entries are NOT wrapped
+        // — significant additional complexity for marginal gain since
+        // typical fingerprinters check only navigation timing.
+        safeExecute(() => {
+          if (typeof performance === 'undefined' || typeof performance.getEntriesByType !== 'function') return;
+
+          const TIMING_FIELDS = new Set([
+            'fetchStart', 'startTime', 'duration', 'redirectStart', 'redirectEnd',
+            'workerStart',  // service-worker startup timing (was missing — partial-coverage tell)
+            'domainLookupStart', 'domainLookupEnd',
+            'connectStart', 'connectEnd', 'secureConnectionStart',
+            'requestStart', 'responseStart', 'responseEnd',
+            'domInteractive', 'domContentLoadedEventStart', 'domContentLoadedEventEnd',
+            'domComplete', 'loadEventStart', 'loadEventEnd'
+          ]);
+          const wrappedEntries = new WeakMap();
+
+          const wrapEntry = (entry) => {
+            if (entry == null || typeof entry !== 'object') return entry;
+            const cached = wrappedEntries.get(entry);
+            if (cached) return cached.proxy;
+
+            // Per-(entry, field) jitter cache so repeated reads of the
+            // same timing field return the SAME jittered value (real
+            // PerformanceNavigationTiming values are immutable per
+            // navigation; jitter-noise on every read would be detectable
+            // as anomalous). Don't jitter 0 -- those mean 'event never
+            // occurred' (e.g. secureConnectionStart=0 for non-HTTPS);
+            // adding noise would invent a connection that didn't happen.
+            const jitterCache = new Map();
+            const getJittered = (field, value) => {
+              if (typeof value !== 'number' || value === 0) return value;
+              let v = jitterCache.get(field);
+              if (v === undefined) {
+                v = value + (Math.random() - 0.5); // ±0.5ms
+                jitterCache.set(field, v);
+              }
+              return v;
+            };
+
+            // Per-property bound-method cache so accessing the same method
+            // twice returns the same function identity (`p.toJSON === p.toJSON`
+            // is true on real Chrome; without caching, Proxy returns a new
+            // bound function every access — strict-equality probes catch us).
+            // Bound methods also maskAsNative'd so their .toString() reports
+            // '[native code]' rather than the bound-fn source.
+            const methodCache = new Map();
+
+            const proxy = new Proxy(entry, {
+              get(target, prop) {
+                const value = target[prop];
+                if (TIMING_FIELDS.has(prop)) return getJittered(prop, value);
+                if (typeof value === 'function') {
+                  let m = methodCache.get(prop);
+                  if (m === undefined) {
+                    if (prop === 'toJSON') {
+                      // toJSON drives JSON.stringify; apply same per-field
+                      // jitter cache to the serialised object so direct-read
+                      // and JSON-roundtrip yield identical values.
+                      m = function() {
+                        const json = value.call(target);
+                        for (const f of TIMING_FIELDS) {
+                          if (f in json) json[f] = getJittered(f, json[f]);
+                        }
+                        return json;
+                      };
+                    } else {
+                      m = value.bind(target);
+                    }
+                    maskAsNative(m, prop);
+                    methodCache.set(prop, m);
+                  }
+                  return m;
+                }
+                return value;
+              }
+            });
+            wrappedEntries.set(entry, { proxy, jitterCache, methodCache });
+            return proxy;
+          };
+
+          const origGetByType = performance.getEntriesByType;
+          performance.getEntriesByType = function(type) {
+            const entries = origGetByType.call(this, type);
+            if (type === 'navigation') return entries.map(wrapEntry);
+            return entries;
+          };
+          maskAsNative(performance.getEntriesByType, 'getEntriesByType');
+        }, 'PerformanceNavigationTiming jitter');
+
         // Canvas fingerprinting protection
         //
         safeExecute(() => {
@@ -1922,13 +2260,27 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
 
         // Battery API spoofing
         //
+        // Report the plugged-in / fully-charged default: charging=true,
+        // level=1, chargingTime=0, dischargingTime=Infinity. This is what a
+        // real Chrome desktop reports (verified against a live reference) AND
+        // what the largest slice of the population shows (desktops + plugged-in
+        // laptops), so it blends with the majority.
+        //
+        // Battery is a known fingerprinting vector. The prior approach
+        // per-domain-randomized a partial level (0.25..0.94) and the charging
+        // state — but a partial battery level is MORE identifying than the
+        // common plugged-in state, and "Desktop" form-factor + a discharging
+        // battery is mildly contradictory. The fixed plugged-in default is
+        // both the least-surprising value and carries zero cross-domain entropy.
+        // (Earlier history: an even-older spoof used Math.random() per field,
+        // which made level jump between reloads — also anomalous.)
         safeExecute(() => {
           if (navigator.getBattery) {
             const batteryState = {
-              charging: Math.random() > 0.5,
-              chargingTime: Math.random() > 0.5 ? Infinity : Math.floor(Math.random() * 3600),
-              dischargingTime: Math.floor(Math.random() * 7200),
-              level: Math.round((Math.random() * 0.7 + 0.25) * 100) / 100,
+              charging: true,
+              chargingTime: 0,
+              dischargingTime: Infinity,
+              level: 1,
               addEventListener: () => {},
               removeEventListener: () => {},
               dispatchEvent: () => true
@@ -1939,13 +2291,122 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'battery API spoofing');
 
+        // navigator.bluetooth (Web Bluetooth). Real Chrome ALWAYS exposes the
+        // Bluetooth object — even with no adapter, where getAvailability()
+        // resolves false. Headless Chrome omits it entirely, so `'bluetooth'
+        // in navigator` returning false is a headless tell. Provide a minimal
+        // stub (only when missing) so the presence check passes; report no
+        // adapter (false) — honest for a server, common for a real desktop,
+        // and avoids claiming hardware a requestDevice() probe couldn't back.
+        safeExecute(() => {
+          if (!navigator.bluetooth) {
+            const bt = {
+              getAvailability: () => Promise.resolve(false),
+              getDevices: () => Promise.resolve([]),
+              requestDevice: () => Promise.reject(
+                new DOMException('User cancelled the requestDevice() chooser.', 'NotFoundError')),
+              addEventListener: () => {},
+              removeEventListener: () => {},
+              dispatchEvent: () => true
+            };
+            if (typeof maskAsNative === 'function') {
+              maskAsNative(bt.getAvailability, 'getAvailability');
+              maskAsNative(bt.requestDevice, 'requestDevice');
+              maskAsNative(bt.getDevices, 'getDevices');
+            }
+            Object.defineProperty(navigator, 'bluetooth', { get: () => bt, configurable: true });
+          }
+        }, 'bluetooth API spoofing');
+
+        // SpeechSynthesis voices. Real Chrome ships an OS-dependent voice set;
+        // a non-Windows headless host can't have the Microsoft SAPI voices a
+        // Windows UA implies, so the short native list (2 voices here) reading
+        // back contradicts the claimed OS. Provide the canonical set for the
+        // claimed OS (verified vs a live Windows Chrome reference). Voice
+        // objects are built on SpeechSynthesisVoice.prototype with OWN data
+        // properties, so `voice instanceof SpeechSynthesisVoice` passes AND
+        // name/lang/localService read back the spoofed values (own props shadow
+        // the prototype getters). getVoices() returns a fresh array per call,
+        // like real Chrome.
+        safeExecute(() => {
+          if (!window.speechSynthesis) return;
+          const SSV = window.SpeechSynthesisVoice;
+          const isWin = /Windows/.test(userAgent);
+          const mk = (name, lang, local) => {
+            const data = { voiceURI: name, name, lang, localService: local, default: false };
+            if (SSV && SSV.prototype) {
+              const v = Object.create(SSV.prototype);
+              for (const k in data) {
+                Object.defineProperty(v, k, { value: data[k], enumerable: true, configurable: true, writable: k === 'default' });
+              }
+              return v;
+            }
+            return data;
+          };
+          // Microsoft SAPI voices are Windows-only; the Google network voices
+          // are the same set across platforms.
+          const ms = isWin ? [
+            mk('Microsoft David - English (United States)', 'en-US', true),
+            mk('Microsoft Mark - English (United States)', 'en-US', true),
+            mk('Microsoft Zira - English (United States)', 'en-US', true)
+          ] : [];
+          const google = [
+            ['Google Deutsch', 'de-DE'], ['Google US English', 'en-US'],
+            ['Google UK English Female', 'en-GB'], ['Google UK English Male', 'en-GB'],
+            ['Google español', 'es-ES'], ['Google español de Estados Unidos', 'es-US'],
+            ['Google français', 'fr-FR'], ['Google हिन्दी', 'hi-IN'],
+            ['Google Bahasa Indonesia', 'id-ID'], ['Google italiano', 'it-IT'],
+            ['Google 日本語', 'ja-JP'], ['Google 한국의', 'ko-KR'],
+            ['Google Nederlands', 'nl-NL'], ['Google polski', 'pl-PL'],
+            ['Google português do Brasil', 'pt-BR'], ['Google русский', 'ru-RU'],
+            ['Google 普通话（中国大陆）', 'zh-CN'], ['Google 粤語（香港）', 'zh-HK'],
+            ['Google 國語（臺灣）', 'zh-TW']
+          ].map(([n, l]) => mk(n, l, false));
+          const voices = ms.concat(google);
+          if (voices[0]) voices[0].default = true;
+          window.speechSynthesis.getVoices = function getVoices() { return voices.slice(); };
+          if (typeof maskAsNative === 'function') maskAsNative(window.speechSynthesis.getVoices, 'getVoices');
+        }, 'speechSynthesis voices spoofing');
+
+        // Web Share API (navigator.share / canShare). Present on real DESKTOP
+        // Chrome (since 89) but absent in headless, so `'share' in navigator`
+        // returning false contradicts a desktop UA. Provide stubs only when
+        // missing. canShare() mirrors Chrome's "is there shareable data?"
+        // result; share() requires transient user activation, which automation
+        // never has, so real Chrome rejects with NotAllowedError — match that.
+        safeExecute(() => {
+          if (typeof navigator.canShare !== 'function') {
+            const canShare = function canShare(data) {
+              if (!data) return false;
+              return !!(data.url || data.text || data.title || (data.files && data.files.length));
+            };
+            const share = function share() {
+              return Promise.reject(new DOMException(
+                'Must be handling a user gesture to perform a share request.', 'NotAllowedError'));
+            };
+            if (typeof maskAsNative === 'function') { maskAsNative(canShare, 'canShare'); maskAsNative(share, 'share'); }
+            Object.defineProperty(navigator, 'canShare', { value: canShare, configurable: true, writable: true });
+            Object.defineProperty(navigator, 'share', { value: share, configurable: true, writable: true });
+          }
+        }, 'web share API spoofing');
+
         // Enhanced Mouse/Pointer Spoofing
         //
         safeExecute(() => {
-          // Spoof pointer capabilities
-          const spoofedTouchPoints = Math.random() > 0.7 ? 0 : Math.floor(Math.random() * 5) + 1;
+          // Spoof pointer capabilities — UA-consistent. Previous code did
+          //   Math.random() > 0.7 ? 0 : Math.floor(Math.random() * 5) + 1
+          // which randomly told the page 'this Windows Chrome has 3 touch
+          // points' -- a fingerprinter cross-checking userAgent against
+          // maxTouchPoints catches the invariant violation:
+          //   Windows/Mac/Linux Chrome   -> maxTouchPoints = 0
+          //   iOS Safari, Android Chrome -> maxTouchPoints = 5 (typical)
+          //   Touch-laptop hybrid        -> maxTouchPoints = 10 (rare)
+          // Use the spoofed UA (userAgent variable in this closure) to
+          // pick the right value. Mobile UAs get 5; desktop UAs get 0.
+          const isMobileUA = /Android|iPhone|iPad|iPod|Mobile/i.test(userAgent || '');
+          const spoofedTouchPoints = isMobileUA ? 5 : 0;
           if (navigator.maxTouchPoints !== undefined) {
-            safeDefinePropertyLocal(navigator, 'maxTouchPoints', { 
+            safeDefinePropertyLocal(navigator, 'maxTouchPoints', {
               get: () => spoofedTouchPoints
             });
           }
@@ -2067,21 +2528,24 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
 
         }, 'console error suppression');
         
-        // Hide source URL indicators (data: URLs reveal script injection)
-        safeExecute(() => {
-          const originalLocation = window.location;
-          Object.defineProperty(window, 'location', {
-            value: new Proxy(originalLocation, {
-              get: function(target, prop) {
-                if (prop === 'href' && target[prop] && target[prop].includes('data:')) {
-                  return 'about:blank';
-                }
-                return target[prop];
-              }
-            }),
-            configurable: false
-          });
-        }, 'location URL masking');
+        // NOTE: The previous `location URL masking` Proxy was removed.
+        // It wrapped window.location in a Proxy to return 'about:blank' when
+        // location.href.includes('data:') — a bookmarklet/extension-injection
+        // hider. nwss.js always navigates to real http(s) URLs via page.goto(),
+        // so location.href never contains 'data:' and the spoof was dead code
+        // for every real scan path. Costs it imposed before removal:
+        //   - `configurable: false` on window.location blocked page-side
+        //     navigation guards (Cloudflare rocket-loader, ad-script location
+        //     manipulation, popunder teardown) from redefining window.location.
+        //   - Proxy boundary visible via Object.getOwnPropertyDescriptor
+        //     (Proxy's value-as-non-spec-shape is a detectable surface).
+        //   - Page-side Object.defineProperty(location, 'href', ...) calls
+        //     hit the Proxy first, then forwarded to a spec-non-configurable
+        //     property, throwing "Cannot redefine property: href" — log noise
+        //     and a contributor to post-popup browser-unresponsive states on
+        //     popunder sites (eztv1.xyz scan reproduced this).
+        // If a future use case actually loads via data: URL, reintroduce as a
+        // get-trap-only Proxy with configurable:true so pages can override.
 
         // Bulk-mask all spoofed prototype methods so toString() returns "[native code]"
         // Must run AFTER all overrides are applied
@@ -2091,7 +2555,9 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
             [HTMLCanvasElement.prototype, ['getContext', 'toDataURL', 'toBlob']],
             [CanvasRenderingContext2D.prototype, ['getImageData', 'fillText', 'strokeText', 'measureText']],
             [EventTarget.prototype, ['addEventListener', 'removeEventListener']],
-            [Date.prototype, ['getTimezoneOffset']],
+            // Date.prototype.getTimezoneOffset is no longer overridden (timezone
+            // is done via CDP emulateTimezone), so the native function needs no
+            // masking — masking a native fn is at best a no-op, at worst a wrap.
           ];
           if (typeof WebGL2RenderingContext !== 'undefined') {
             protoMasks.push([WebGL2RenderingContext.prototype, ['getParameter', 'getExtension']]);
@@ -2172,7 +2638,7 @@ async function applyUserAgentSpoofing(page, siteConfig, forceDebug, currentUrl)
           }
         }, 'interaction-gated script trigger');
 
-      }, ua, forceDebug, selectedGpu, realistic.hardwareConcurrency);
+      }, ua, forceDebug, selectedGpu, realistic.hardwareConcurrency, CHROME_BUILD, CHROME_GREASE_BRAND);
     } catch (stealthErr) {
       if (isSessionClosedError(stealthErr)) {
         if (forceDebug) console.log(formatLogMessage('debug', `Page closed during stealth injection: ${currentUrl}`));
@@ -2327,19 +2793,22 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       // Platform, memory, and hardware spoofing combined for better V8 optimization
       // (moved into navigatorProps above);
 
-      const connectionInfo = {
-        effectiveType: ['slow-2g', '2g', '3g', '4g'][Math.floor(Math.random() * 4)],
-        type: Math.random() > 0.5 ? 'cellular' : 'wifi',
-        saveData: Math.random() > 0.8,
-        downlink: 1.5 + Math.random() * 8,
-        rtt: 50 + Math.random() * 200
-      };
+      // navigator.connection spoof DELETED -- was dead code.
+      // The UA-spoof block (applyUserAgentSpoofing's eOND, ~line 1452)
+      // already defines navigator.connection earlier in the eOND
+      // registration order, with Object.defineProperty (default
+      // configurable: false). The previous re-spoof here used
+      // safeDefinePropertyLocal which has an `existing?.configurable
+      // === false` guard, so it silently failed every time the UA spoof
+      // ran. Net effect: per-navigation random connection values
+      // generated here NEVER reached navigator.connection -- the
+      // hardcoded '4g'/wifi/50/10 from the UA block always won.
+      // Removing this block has zero behavioural change in the typical
+      // (UA + fingerprint_protection) case, and makes the code's actual
+      // behaviour match what reading it would suggest. Per-domain
+      // realistic-randomization of connection is a future improvement;
+      // do it ONCE in the UA-spoof block, not twice with one of them dead.
 
-      // Connection type spoofing
-      safeDefinePropertyLocal(navigator, 'connection', {
-        get: () => connectionInfo
-      });
-      
       // Screen properties spoofing
       const screenSpoofProps = {};
       ['width', 'height', 'availWidth', 'availHeight', 'colorDepth', 'pixelDepth'].forEach(prop => {
@@ -2357,36 +2826,14 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       };
       spoofNavigatorProperties(navigator, languageSpoofProps);
 
-      // Timezone spoofing
-      if (spoof.timezone && window.Intl?.DateTimeFormat) {
-        const OriginalDateTimeFormat = window.Intl.DateTimeFormat;
-        window.Intl.DateTimeFormat = function(...args) {
-          const instance = new OriginalDateTimeFormat(...args);
-          const originalResolvedOptions = instance.resolvedOptions;
-          
-          instance.resolvedOptions = function() {
-            const opts = originalResolvedOptions.call(this);
-            opts.timeZone = spoof.timezone;
-            return opts;
-          };
-          return instance;
-        };
-        Object.setPrototypeOf(window.Intl.DateTimeFormat, OriginalDateTimeFormat);
-
-        // Timezone offset spoofing
-        const timezoneOffsets = {
-          'America/New_York': 300,
-          'America/Los_Angeles': 480,
-          'Europe/London': 0,
-          'America/Chicago': 360
-        };
-        
-        const originalGetTimezoneOffset = Date.prototype.getTimezoneOffset;
-        Date.prototype.getTimezoneOffset = function() {
-          return timezoneOffsets[spoof.timezone] || originalGetTimezoneOffset.call(this);
-        };
-      }
-      
+      // Timezone is handled at the CDP level via page.emulateTimezone() (set
+      // in applyFingerprintProtection, Node side) — NOT here. JS-patching
+      // Intl.resolvedOptions + Date.getTimezoneOffset was actively harmful: it
+      // left the real Date object in the host's true zone, so the formatted
+      // time / getHours() / Date.toString() contradicted the claimed zone, and
+      // the hardcoded offsets ignored DST. emulateTimezone makes every Date and
+      // Intl read consistent, so no JS override is needed (or wanted) here.
+
       // Cookie and DNT spoofing
       if (spoof.cookieEnabled !== undefined) {
         safeDefinePropertyLocal(navigator, 'cookieEnabled', { get: () => spoof.cookieEnabled });
@@ -2396,6 +2843,22 @@ async function applyFingerprintProtection(page, siteConfig, forceDebug, currentU
       }
       
     }, { spoof, debugEnabled: forceDebug });
+
+    // Timezone: use CDP-level emulation (Emulation.setTimezoneOverride) instead
+    // of JS patching. The old JS overrides (Intl.resolvedOptions + Date.proto
+    // getTimezoneOffset) left the REAL Date object in the host's true zone, so
+    // Date.toString(), getHours(), and an Intl format of the same instant all
+    // contradicted the claimed zone (verified: claimed America/New_York while
+    // Date reported the host zone — an 8-hour hour gap, a textbook tell).
+    // emulateTimezone changes the browser's ACTUAL timezone, so Date, Intl, and
+    // getTimezoneOffset are all consistent (and DST-correct).
+    if (spoof.timezone) {
+      try {
+        await page.emulateTimezone(spoof.timezone);
+      } catch (tzErr) {
+        if (forceDebug) console.log(formatLogMessage('debug', `emulateTimezone(${spoof.timezone}) failed for ${currentUrl}: ${tzErr.message}`));
+      }
+    }
   } catch (err) {
     if (isSessionClosedError(err)) {
       if (forceDebug) console.log(formatLogMessage('debug', `Page closed during fingerprint injection: ${currentUrl}`));
@@ -2573,6 +3036,13 @@ async function applyAllFingerprintSpoofing(page, siteConfig, forceDebug, current
 // module.exports only if a new external consumer appears.
 module.exports = {
   applyAllFingerprintSpoofing,
+  // Build portion of the Chrome full version — nwss.js uses it to keep the
+  // Sec-CH-UA-Full-Version* HTTP headers consistent with the JS high-entropy
+  // spoof. Single source of truth for the build that the reduced UA hides.
+  CHROME_BUILD,
+  // GREASE brand string — nwss.js uses it for the Sec-CH-UA / -Full-Version-List
+  // headers so the HTTP brand list matches the JS brands (and real Chrome).
+  CHROME_GREASE_BRAND,
   // Exposed for scripts/test-stealth.js so the harness can validate --ua=
   // against the canonical UA list (instead of duplicating the keys here).
   // The Map itself is frozen; consumers cannot mutate the spoof source.