Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: browser (1 article)Clear

Google leaks unfixed Chromium flaw - Service Workers run JavaScript after browser closes, enabling silent botnet on Chrome, Edge, Brave

Google has accidentally published the technical details of an unfixed Chromium vulnerability that lets a malicious webpage run JavaScript on a visitor's device even after the browser is closed. The issue, originally reported by researcher Lyra Rebane in December 2022, abuses a Service Worker download task that never terminates. It was marked 'fixed' on February 12 and the bug tracker went public on May 20 after the 14-week visibility timer expired, but Rebane re-tested the latest Chrome Dev 150 and Edge 148 and confirmed the bug still works. Microsoft Edge no longer shows a download prompt, making the persistence completely silent. All Chromium-based browsers are affected.

Check
Inventory Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi, Arc) and check current Service Worker activity at chrome://serviceworker-internals/ for unexpected background fetches surviving browser close.
Affected
All Chromium-based browsers including Chrome Dev 150 and Edge 148 (and earlier). Confirmed bug in Service Worker handling. The Edge variant is silent (no download prompt).
Fix
No vendor patch yet. Until one ships: enforce a Chrome/Edge policy that blocks background-fetch or restricts service-worker scopes. Educate users to manually unregister Service Workers via chrome://serviceworker-internals/.