Daily Technology
·22/05/2026
Unfixed Chromium Flaw Puts Major Browsers at Risk of Silent Exploitation
ADVERTISEMENT
ADVERTISEMENT
Google has inadvertently disclosed details of a significant, unpatched vulnerability within its Chromium browser engine. This flaw, which affects a wide range of popular web browsers, could allow attackers to remotely execute code on a user's device long after the browser has been closed, creating a persistent security threat.
The Persistent JavaScript Flaw
The core of the vulnerability, first reported by security researcher Lyra Rebane in late 2022, lies in how Chromium handles JavaScript Service Workers. An attacker can craft a malicious webpage that initiates a background task, such as a fake download, which never terminates.
ADVERTISEMENT
This allows JavaScript code to continue running indefinitely on the visitor's device, even if the browser application is shut down. This effectively creates a permanent backdoor for remote code execution, all from a single visit to a compromised site.
One visit can persist after shutdown
The exploit lets malicious JavaScript continue operating even after the user closes the browser, turning a single pageview into an ongoing risk.
The Risk of Stealth Botnets
The primary danger of this exploit is its potential to create large-scale "botnets." Compromised browsers could be harnessed without the user's knowledge for malicious activities.
The possible abuse falls into several practical categories.
ADVERTISEMENT
How compromised browsers could be used
DDoS attacks
traffic floods·distributed abuse
Infected browsers could be coordinated to bombard targets with traffic and help overwhelm online services.
Malicious proxies
traffic relays·stealth routing
Attackers could route harmful traffic through victim devices, masking its true origin behind unsuspecting users.
Forced redirects
user hijacking·arbitrary destinations
Victims could be silently pushed to other sites under attacker control or used in broader malicious campaigns.
Real-world applications include launching Distributed Denial-of-Service (DDoS) attacks, using the infected devices as proxies for malicious traffic, or arbitrarily redirecting users to other websites. The researcher noted that achieving tens of thousands of pageviews to build such a botnet is a realistic scenario.
ADVERTISEMENT
Widespread Impact Across Browsers
Because Chromium is the foundation for many of the world's most used browsers, the impact is extensive. All Chromium-based browsers are affected, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
Affected browsers mentioned in the report
| Browser | Engine base | Exposure described |
|---|---|---|
| Google Chrome | Chromium | Affected |
| Microsoft Edge | Chromium | Affected |
| Brave | Chromium | Affected |
| Opera | Chromium | Affected |
| Vivaldi | Chromium | Affected |
| Arc | Chromium | Affected |
Worryingly, the exploit has become more covert over time. Recent tests on Microsoft Edge revealed that a download pop-up that previously appeared when the exploit was triggered no longer does, making the attack completely silent and invisible to the user.
ADVERTISEMENT
An Accidental Disclosure
The details of this "serious vulnerability" became public due to a procedural error. The issue was marked as "fixed" in Google's bug tracker system in February, despite a patch not being shipped. Following a standard 14-week waiting period for fixed bugs, the report's access restrictions were automatically lifted on May 20.
After the researcher confirmed the exploit was still active, Google made the report private again. However, the information was public long enough to be disseminated. Given the leak, the industry now anticipates an urgent, emergency patch from Google to mitigate the significant risk to users.