The flaw gives sites access to all the other sites that user has visited. Many use it to target ads or see if users are patronising rivals.
The researchers said their work showed a need for better defences against history tracking.
The bug exploits the way that many browsers handle links people have visited. Many change the colour of the text to reflect that earlier visit.
This can be abused with a specially written chunk of code sitting on a website that interrogates a visitors browser to see what it does to a given list of websites. Any displayed in a different colour are judged to be those a user has already seen.
A survey of 50,000 of the web's most visited websites by the team from UC San Diego found 485 sites using this method to get at browser histories, 63 were copying the data it reveals and 46 were found to be "hijacking" a user's history.
Users can also check how much information they are leaking by visiting a webpage set up by security researchers that tries to grab their history.
Despite these safeguards, the researchers said there was a "pressing need to devise flexible, precise and efficient defenses" against the history hijacking technique.
The research team is now planning more in-depth work that it hopes will result in tools that will more comprehensively defend against attempts to exploit the bug.