Google Leaks Unfixed Chromium Flaw Enabling Silent JS Botnet

Google inadvertently exposed technical details of an unfixed Chromium vulnerability that allows JavaScript to persist in the background after the browser is closed, effectively giving attackers a pathway to remote code execution on affected devices. The flaw, reported by security researcher Lyra Rebane in December 2022, was acknowledged by Google as a valid security issue and later described by a Google developer in October 2024 as a "serious vulnerability" that required urgent attention.

The underlying weakness lies in the way Chromium-based browsers handle Service Workers. By crafting a malicious webpage that registers a Service Worker—often disguised as a download task—an attacker can create a background script that never terminates, even after the user closes the browser tab or the entire application. This persistent JavaScript can be leveraged to form a covert botnet, launch DDoS attacks, proxy malicious traffic, or arbitrarily redirect users to attacker‑controlled sites. All major Chromium‑based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc, are impacted.

Google initially marked the issue as fixed on February 12, 2025, awarded Rebane a $1,000 bug bounty, and removed all access restrictions on the Chromium Issue Tracker on May 20, assuming the flaw had been patched for more than 14 weeks. However, when Rebane re‑tested the fix on Chrome Dev 150 and Edge 148, she discovered that the exploit still functioned and that the download popup that previously alerted users no longer appears in Edge, making the attack completely silent. The discrepancy prompted Rebane to publicly warn that the vulnerability remains exploitable.

Users and administrators should take immediate steps to mitigate risk. Ensure browsers are up to date and consider disabling Service Workers for untrusted sites via browser settings. Security teams can audit their exposure with tools such as our browser fingerprint test to see if their browser configuration leaks identifying information, and use our DNS leak test to confirm that no traffic is being diverted unexpectedly.