Google Accidentally Exposes Details of Unpatched Chromium Vulnerability

Google appears to have unintentionally disclosed details about an unresolved Chromium vulnerability that could allow JavaScript to continue running in the background even after a browser has been closed.

The issue, originally reported by security researcher Lyra Rebane in December 2022, affects Chromium’s handling of Service Workers. According to the original report, an attacker could craft a malicious webpage that starts a persistent Service Worker task, such as a download process, that does not properly terminate. This could allow JavaScript to continue executing on a visitor’s device after they leave the site or close the browser.

The vulnerability affects Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.

Potential abuse scenarios include using compromised browsers to support distributed denial-of-service attacks, proxy malicious traffic, or redirect users to attacker-controlled destinations. Rebane warned that a popular malicious page could potentially generate enough visits to create a browser-based botnet without users realizing their device was still running remote JavaScript.

The issue remained open for years. In October 2024, a Google developer reportedly flagged the bug as a serious vulnerability that needed a status update. Earlier this year, the issue was briefly marked as fixed, reopened minutes later due to concerns, and then marked fixed again in February, even though a patch had not yet shipped.

Because the tracker listed the issue as fixed for more than 14 weeks, access restrictions were automatically removed on May 20. That made the technical details publicly visible. Rebane later tested the issue and found that it still worked in Chrome Dev 150 and Edge 148.

The researcher said the issue was especially concerning in Microsoft Edge, where the exploit could continue running silently after the browser was closed. In newer versions of Edge, the previous download pop-up no longer appears, making the activity less noticeable to users.

After the exposure was discovered, the issue was made private again. However, the details were reportedly visible long enough to leak.

Rebane clarified that the vulnerability does not bypass browser sandbox protections and does not give attackers direct access to a user’s files, emails, or operating system. However, because it could allow persistent background JavaScript execution from a single website visit, the risk remains significant.

Google is expected to prioritize a fix now that details of the unresolved issue have been exposed.