Google Exposes Unfixed Chromium Flaw That Keeps JavaScript Running in the Background

Google Accidentally Exposed Details of Unfixed Chromium Flaw

OverviewA security mishap revealed details about an unfixed vulnerability in the Chromium project that allows JavaScript to continue running in the background even after a browser is closed. This behavior can enable remote code execution on a user’s device. The issue was first reported by security researcher Lyra Rebane and was identified as valid in December 2022 within the Chromium Issue Tracker. The exposure has implications for all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.

The Flaw: How it Works

• Core issue: A Service Worker in a malicious webpage can create a task (such as a download) that never terminates, allowing JavaScript to keep executing on the visitor’s device even after the browser window is closed.
• Potential outcomes: An attacker could leverage this to run arbitrary JavaScript code on the target device, effectively turning a visitor’s browser into a persistent “bot” without user interaction.
• Realistic scale: Researchers note that it’s feasible to generate tens of thousands of pageviews for a single malicious site aimed at creating a botnet, all without users realizing JavaScript is executing remotely.
• Threat scenarios: Compromised browsers could be used to launch distributed denial-of-service (DDoS) attacks, proxy malicious traffic, or arbitrarily redirect user requests to targeted sites.

Impact and Scope

• Affected software: All Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
• Security boundaries: While the vulnerability enables persistent JavaScript execution, the bug does not grant attackers direct access to emails, files, or the host operating system. Nevertheless, the risk to large numbers of users remains significant due to the ease of triggering the exploit via a single visit to a crafted webpage.

Timeline of Developments

• October 26, 2024: A Google developer acknowledged that the issue remained open and described it as a “serious vulnerability” needing progress updates. This highlighted a persistence gap in addressing the flaw.
• February 10, 2026: The issue was marked as fixed and then reopened minutes later amid several concerns raised by the community and researchers.
• February 12, 2026: The issue was again marked as fixed, even though a patch had not yet been released to users.
• Automated notification: Rebane received an automated email informing her that a bug bounty of $1,000 had been awarded for the vulnerability.
• May 20, 2026: Access restrictions on Chromium Issue Tracker were removed after the bug had been marked fixed for more than 14 weeks. Rebane subsequently tested the purported fix and found the issue persisted in Chrome Dev 150 and Edge 148.
• Post-exposure observations: Rebane publicly remarked that the exploit could be activated with no user interaction and that Edge had become stealthier, lacking the download prompt that previously accompanied exploit execution. She emphasized that the vulnerability remained active even after closing the browser on certain configurations.
• Quote: “Back in 2022, I found a bug that would let me, with no user interaction, turn any Chromium-based browser into a permanent JS botnet member.”
• Follow-up: “OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS,” highlighting ongoing concern about the fix’s effectiveness.

Exposure and Repercussions

• Public exposure: Although the vulnerability details were later restricted again, the leak was long enough to disseminate critical information that could facilitate exploitation.
• Expert assessment: Researchers indicated that Google’s disclosure could make exploitation considerably easier, though turning such an exploit into a broad botnet requires additional steps and coordination.
• Practical limitations: The bug’s nature does not inherently bypass standard browser security boundaries, and it does not grant access to user emails, documents, or the host OS. However, persistent JavaScript execution on a large scale presents a substantial risk for attackers seeking to create botnets or orchestrate other cyber operations.
• Industry response: The incident underscores the importance of careful disclosure timing and validation of fixes in a project with widespread deployment. It also highlights the need for robust protections around Service Workers and long-running background tasks in a browser context.

Context and Related Considerations

• Automated testing versus real-world controls: The surrounding discussion includes references to automated pentesting and the limitations of testing only whether a threat can move through a network, rather than whether defensive controls and detections are effective.
• Public-facing disclosures: The case illustrates how exposure of internal vulnerability details can have cascading effects, potentially enabling mass exploitation if not managed carefully.
• Cross-browser implications: Because the vulnerability affects Chromium-based browsers across multiple vendors, coordinated fixes and transparent communication are essential to minimize risk to end users.

Closing ThoughtsThe Google Chromium exposure case serves as a stark reminder of how a single persistent weakness in background processing can have outsized consequences across a broad ecosystem. While the core vulnerability does not automatically grant access to sensitive data or the host system, the ability to maintain JavaScript execution after a browser is closed raises serious concerns about user consent, background activity, and the potential for abuse. The evolving timeline—from initial discovery in 2022 through post-exposure developments in 2024–2026—illustrates the challenges of patch validation, disclosure ethics, and synchronized defense when a flaw resides at the heart of a widely used web platform.