Google has accidentally exposed details about an unfixed Chromium security issue that can keep JavaScript running in the background even after the browser is closed, potentially allowing attackers to remotely run code through a malicious webpage.

The flaw was first reported by security researcher Lyra Rebane and was accepted as a valid issue in December 2022 through the Chromium Issue Tracker. According to the report, an attacker could abuse the problem by creating a malicious webpage with a Service Worker, such as a download-related task, that never properly stops running.

Rebane warned that this could allow attackers to keep executing JavaScript on a visitor’s device after they visit a single website. In the original bug report, the researcher said it was realistic for attackers to generate tens of thousands of page views and create something similar to a browser-based botnet, while users would not realize that JavaScript was still running remotely on their devices.

Possible abuse cases include using affected browsers to launch distributed denial-of-service attacks, proxy malicious traffic, or redirect traffic to targeted websites. The issue affects Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.

The bug remained open for a long time. On October 26, 2024, a Google developer noticed that the issue was still unresolved and called it a serious vulnerability that needed a status update. On February 10 this year, the issue was briefly marked as fixed but was reopened minutes later because of remaining concerns.

READ
Australian Cyber Agency Warns of Global Attacks Targeting WordPress, Joomla, Craft CMS, and Other Websites

Because the report involved a security issue, Google updated its labels so it could be reviewed through the Chrome Vulnerability Rewards Program panel. The issue was again marked as fixed on February 12, even though a patch had not yet been released to users. Rebane later received an automated email saying she had been awarded a $1,000 bug bounty.

The problem became more serious on May 20, when Chromium Issue Tracker automatically removed access restrictions because the bug had been closed for more than 14 weeks and marked as fixed in the system. That made the details public, even though the issue was apparently still exploitable.

On the same day, Rebane tested the supposed fix and found that the bug still worked in Chrome Dev 150 and Edge 148. The researcher later said that the flaw could turn any Chromium-based browser into a persistent JavaScript botnet member without user interaction after visiting a website once.

Rebane also noted that, in Microsoft Edge, users might not notice anything unusual because the browser could stay connected to the attacker-controlled server even after being closed. The researcher said the situation had become worse because the download pop-up that previously appeared when triggering the exploit no longer shows in the latest Edge, making the activity more silent.

Although Google made the issue private again, the details had already been exposed long enough to leak. Rebane told Ars Technica that the accidental exposure could make exploitation easier, although turning it into a large-scale botnet would still be more complicated.

READ
Former Ransomware Negotiator Sentenced to Four Years for Helping BlackCat Cyberattacks

The researcher also clarified that the bug does not break out of the browser’s security boundaries and does not give attackers direct access to a victim’s emails, files, or operating system. However, because the issue affects all Chromium-based browsers and the details have already leaked, the risk is still significant.


Buy ExpressVPN with PayPal or Credit Card

Google is expected to treat the matter as urgent and may release emergency fixes soon. BleepingComputer said it contacted Google for comment about the exposure but had not received a response at the time of publication.

Advertisement