Google's Accidental Disclosure Highlights Unpatched Chromium Vulnerability
Google inadvertently exposed details of an unpatched Chromium flaw that allows JavaScript to run in the background even after the browser is closed, potentially enabling remote code execution.
Google has inadvertently disclosed details of an unpatched vulnerability in the Chromium browser engine that allows JavaScript code to continue running in the background even after the browser is closed, potentially enabling remote code execution. The issue, initially reported by security researcher Lyra Rebane in December 2022, was acknowledged by Google but remains unresolved.
The flaw enables attackers to create malicious webpages with persistent Service Workers, allowing JavaScript code to execute on users' devices without their knowledge. Rebane highlighted the risk, stating that attackers could exploit this to create botnets without users being aware of the background execution.
Despite being marked as fixed in February 2026, the vulnerability persists. Rebane discovered that the issue remains exploitable in Chrome Dev 150 and Edge 148, noting that in Edge, the exploit operates silently without user prompts.
The vulnerability affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. Given the widespread use of these browsers, the risk to users is significant. Google is expected to prioritize releasing a patch to address this issue promptly.