"OH NO I JUST REALIZED THIS IS NOT ACTUALLY PROPERLY FIXED AND STILL WORKS," Lyra Rebane posted on Mastodon after testing a purported patch.
Lyra Rebane: discovery, disclosure, and alarm
Security researcher Lyra Rebane first reported the issue in 2022; the Chromium Issue Tracker thread acknowledges the report as valid in December 2022. In her original bug report Rebane warned: "It's realistic to get tens of thousands of pageviews for creating a 'botnet', and people won't be aware that JavaScript can be remotely executed on their device." After public testing on May 20, Rebane confirmed the exploit still functioned in current developer builds and raised the alarm publicly.
How the Service Worker exploit operates
The vulnerability allows a malicious webpage to register a Service Worker that never terminates, keeping JavaScript running on a user’s device even after the browser is closed. Rebane and reporting make clear that the bug does not bypass browser security boundaries and does not give attackers access to victims' emails, files, or the host operating system. Still, persistent JavaScript execution enables remote code execution in the browser context and supports follow-on misuse: distributed denial-of-service (DDoS) participation, proxying of malicious traffic, and arbitrary redirection of users to target sites.
Chromium Issue Tracker: labels, fixes, and an accidental public exposure
The bug has been persistent inside the Chromium Issue Tracker. A Google developer flagged it as a "serious vulnerability" on October 26, 2024. On February 10 the issue was briefly marked as fixed and then reopened within minutes because of outstanding concerns. Security labels were updated so the report could proceed through the Chrome Vulnerability Rewards Program (VRP) Panel; on February 12 the issue was marked as fixed in the tracker even though a patch had not been shipped. An automated email later informed Rebane she had been awarded a $1,000 bounty.
Crucially, all access restrictions on the Chromium Issue Tracker were removed on May 20 because the bug had been closed for more than 14 weeks and marked as fixed in the system. That removal of restrictions appears to have let details escape into the public domain before a live patch was deployed.
Browsers and versions shown vulnerable: Chrome Dev 150, Edge 148, and other Chromium-based targets
Rebane tested the claimed fix after the tracker was made public again and found the problem active in Chrome Dev 150 and Edge 148. The vulnerability affects all Chromium-based browsers named in reporting, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. One factor increasing the risk on Edge: a download popup that previously appeared when the exploit triggered no longer appears in the latest Edge builds, making the persistent JavaScript execution substantially stealthier.
What this means for browser vendors, technologists and security teams, and end users
- Browser vendors: Given that the issue details leaked and the exploit has been reproduced in developer builds, vendors will most likely treat the problem as urgent and prioritize emergency fixes and patches. The Chromium tracker already routed the report through the Chrome VRP Panel and marked it fixed in the system, even though a shipped patch lagged the tracker state.
- Technologists and security teams: Teams responsible for detection and incident response should be aware of the specific persistence vector—Service Workers that fail to terminate—and validate whether developer and stable builds (for example, Chrome Dev 150 and Edge 148) include the corrected behavior once a patch is released.
- End users: Users of Chromium-based browsers face a real risk of their browser instances being co-opted into activity such as DDoS participation or proxying traffic after a single visit to a malicious site, and may not see any obvious indicators—particularly on Edge where the download menu no longer appears.
Rebane told Ars Technica that Google’s exposure would make exploitation "pretty easy," though she cautioned that scaling any exploitation into a very large botnet is more complicated. BleepingComputer reached out to Google for comment on the exposure but had not received a response by publication.
The immediate, plainly stated facts remain: a validated Chromium bug that enables persistent Service Worker–driven JavaScript execution was marked fixed in the tracker without a shipped patch; tracker access controls were removed on May 20; and public testing shows the behavior persists in at least Chrome Dev 150 and Edge 148. With the vulnerability details leaked and a $1,000 bug bounty already issued, the next observable step will be whether vendors push emergency fixes to developer and stable channels and how quickly those updates are deployed to the hundreds of millions of users who run Chromium-based browsers.




