Google leaks unfixed Chromium flaw - Service Workers run JavaScript after browser closes, enabling silent botnet on Chrome, Edge, Brave
Google has accidentally published the technical details of an unfixed Chromium vulnerability that lets a malicious webpage run JavaScript on a visitor's device even after the browser is closed. The issue, originally reported by researcher Lyra Rebane in December 2022, abuses a Service Worker download task that never terminates. It was marked 'fixed' on February 12 and the bug tracker went public on May 20 after the 14-week visibility timer expired, but Rebane re-tested the latest Chrome Dev 150 and Edge 148 and confirmed the bug still works. Microsoft Edge no longer shows a download prompt, making the persistence completely silent. All Chromium-based browsers are affected.
- Check
- Inventory Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi, Arc) and check current Service Worker activity at chrome://serviceworker-internals/ for unexpected background fetches surviving browser close.
- Affected
- All Chromium-based browsers including Chrome Dev 150 and Edge 148 (and earlier). Confirmed bug in Service Worker handling. The Edge variant is silent (no download prompt).
- Fix
- No vendor patch yet. Until one ships: enforce a Chrome/Edge policy that blocks background-fetch or restricts service-worker scopes. Educate users to manually unregister Service Workers via chrome://serviceworker-internals/.