Full Report
Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. [...]
Analysis Summary
The following is a summary of the reported security issue in the Chromium project based on the provided article.
# Vulnerability: Persistent Background JavaScript Execution in Chromium
## CVE Details
- **CVE ID**: Not yet assigned (Unfixed at the time of the report)
- **CVSS Score**: N/A (Severity described by Google developers as "Serious")
- **CWE**: CWE-1059: Failure to Terminate Process (Related to Service Worker persistence)
## Affected Systems
- **Products**: All Chromium-based browsers.
- **Versions**: Confirmed present in Chrome Dev 150 and Edge 148 (as of May 2026).
- **Configurations**: Default configurations; vulnerability is triggered via standard Service Worker functionality.
## Vulnerability Description
The flaw stems from a logic error in how Chromium manages Service Workers. Specifically, a malicious webpage can register a Service Worker that fails to terminate properly. This allows JavaScript to continue running in the background even after the user has closed the browser. While it does not bypass the browser's sandbox (meaning it lacks direct access to the host file system or OS), it allows for persistent, silent code execution within the browser's context.
## Exploitation
- **Status**: Details leaked/Publicly disclosed (Publicly accessible on Chromium Issue Tracker for a short window).
- **Complexity**: Low (Described as "pretty easy" to exploit, though scaling to a botnet is more complex).
- **Attack Vector**: Network (Triggered by visiting a single malicious website).
## Impact
- **Confidentiality**: Low (Standard browser security boundaries remain in place).
- **Integrity**: Low/Medium (Allows unauthorized persistent execution of script).
- **Availability**: Medium (Back-end execution can be used for participation in DDoS attacks or unauthorized traffic proxying).
## Remediation
### Patches
- No functional patch is currently available. Although the issue was marked as "fixed" in internal trackers, testing by the original researcher confirmed the vulnerability remains active in current development builds.
### Workarounds
- **Task Management**: Manually killing all browser processes via the OS Task Manager or Activity Monitor.
- **Service Worker Management**: Users can manually inspect and unregister suspicious service workers by navigating to `chrome://serviceworker-internals/` or `edge://serviceworker-internals/`.
- **Disable Background Apps**: In Chrome settings, disable "Continue running background apps when Google Chrome is closed."
## Detection
- **Indicators of Compromise**: Unexpected high CPU or network usage by browser processes after the application has been closed.
- **Detection Methods**: Monitoring internal browser registration pages (`chrome://serviceworker-internals/`) for unknown or persistent workers from untrusted domains.
## References
- BleepingComputer Article: hxxps[://]www[.]bleepingcomputer[.]com/news/security/google-accidentally-exposed-details-of-unfixed-chromium-flaw/
- Researcher Disclosure (Lyra Rebane): hxxps[://]infosec[.]exchange/@rebane2001/116606719764376414
- Chromium Issue Tracker (Private): hxxps[://]issues[.]chromium[.]org/issues/ (Note: Detailed access currently restricted)