Graz University of Technology researchers demonstrated FROST, a JavaScript-only timing side-channel attack that infers visited websites and open desktop applications from any ordinary web page using the Origin Private File System (OPFS) API, with no permissions or native code required. Chrome, Firefox, and Safari on macOS and Linux are all affected. No vendor has shipped a mitigation as of the research publication date. This is a passive behavioral surveillance capability, not a data exfiltration exploit.