GoKawiilGoogle has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device.
The flaw was reported by security researcher Lyra Rebane and acknowledged as valid in December 2022, as per the thread on Chromium Issue Tracker.
An attacker could exploit the problem to create a malicious webpage with a Service Worker, such as a download task, that never terminates. Rebane says that this could allow an attacker to execute JavaScript code on the visitors' devices.
"It's realistic to get tens of thousands of pageviews for creating a 'botnet', and people won't be aware that JavaScript can be remotely executed on their device," Rebane says in the original bug report.
Potential exploitation scenarios include using compromised browsers to launch distributed denial-of-service (DDoS) attacks, proxying malicious traffic, and arbitrarily redirecting traffic to target sites.
The issue impacts all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
Persistent bug
On October 26, 2024, a Google developer noticed that the issue was still open and described it as a "serious vulnerability" that needed a status update "to ensure that there's progress."
This year, on February 10, the issue was marked as fixed and reopened just a few minutes later due to several concerns.
Since it was a security problem, the labels for the bug were updated so it could go through the Chrome Vulnerability Rewards Program (VRP) Panel, and the issue was marked as fixed on February 12, although a patch had not been shipped.
... continue reading