A coalesced pointer batch contains an untrusted (constructor-built) event — fabricated coalescing

br.coalesced_untrusted  ·  convicts

browserlayer
artifactcategory
1evaders caught

What it catches

v0.74.37. The Proxy-over-native counter (red-team COALESCE_PROXY): after the getCoalescedEvents native-tamper check (v0.74.36) was added, a bot wraps the real getCoalescedEvents in new Proxy(realGCE,{apply}) — keeping the function native (toString/invariant clean, beating br.tostring_tampered + br.native_invariant_violated) — yet fabricates the coalesced batch to beat bh.synthetic_no_coalesced. But getCoalescedEvents must return the UA's OWN native samples, which are ALWAYS isTrusted (hardware AND CDP-dispatched events are trusted); a constructor-built new PointerEvent() is isTrusted=false. So an untrusted event inside a length>1 coalesced batch is impossible for a real browser → a hard fabrication artifact. The Proxy keeps the FUNCTION native but cannot forge trusted DATA. Grounded live: COALESCE_PROXY fires it; HUMAN_MOUSE + plain STEALTH (real CDP events, isTrusted=true, or length<=1) do NOT — FP-safe. Convicting (artifact). Next red-team rung needs genuinely-trusted coalesced events = real hardware input (external frontier).

Signals it reads

browser.coalesced_untrusted

How it fires

present

Evaders it caught 1

Bypassed by 10

Frontier evaders that reach the detector uncaught (scored only suspicious, defeating every convicting tell) — this check is not one that stops them. The red-team frontier this detection still has to convict.

← all detections