How the Vulnerability Works
A security researcher named Lyra Rebane discovered a flaw in Chromium that allows JavaScript to continue running in the background even after the browser is closed. The issue involves Service Workers, which are scripts that run in the background to enable features like offline functionality. An attacker could create a malicious webpage with a Service Worker that never terminates, such as a fake download task, enabling remote JavaScript execution on the visitor’s device. Rebane warned that this could be used to create a botnet from thousands of browsers without users being aware that code is running on their machines.
The exploit affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. Potential attack scenarios include using compromised browsers to launch distributed denial-of-service attacks, proxying malicious traffic, or redirecting users to targeted websites.
Leak and Ongoing Risk
Google initially marked the bug as fixed in February, but the patch was never actually shipped. Under standard policy, access restrictions on the Chromium Issue Tracker were lifted in May after the bug had been closed for more than 14 weeks. This inadvertently exposed full details of the still unpatched vulnerability. Rebane later tested the fix and confirmed the flaw still works in Chrome Dev 150 and Edge 148. In Microsoft Edge, the exploit no longer triggers a download pop-up, making it completely silent and more dangerous.
Google has since re-restricted access to the bug report, but the details had already been exposed long enough for potential exploitation. While the vulnerability does not bypass browser security boundaries or grant access to emails, files, or the host operating system, the risk to users is significant due to the leaked information. Security experts expect Google to treat this as urgent and release emergency fixes soon.
Source: BleepingComputer
