Chromium — the open-source browser that underpins Google Chrome, Microsoft Edge, and Opera, among others — contains an unpatched vulnerability that attackers can exploit to execute JavaScript code persistently across browser restarts. As a result, the flaw can be used to hijack users’ browsers for distributed denial-of-service attacks, run crypto miners, and more.

The vulnerability was reported over three years ago by independent researcher Lyra Rebane and remained unfixed, or at least parts of it. The bug report was made public this week but was then closed again after Rebane reported on Mastodon that the flaw is still not properly fixed.

The bug tracker entry that contains the technical details was accessible long enough to be archived by users, and a copy can be easily found online even though the original entry is now set to private again.

The flaw abuses the Service Worker feature and the Background Fetch API, which allows websites to initiate downloads in the background, such as a video. This feature was introduced in 2018 and Google said at the time:

“If the user closes pages to your site after step 1, that’s ok, the download will continue. Because the fetch is highly visible and easily abortable, there isn’t the privacy concern of a way-too-long background sync task. Because the service worker isn’t constantly running, there isn’t the concern that it could abuse the system, such as mining bitcoin in the background.”

Rabane found that neither of those promises are true, at least not on all platforms and not on all Chromium-based browsers. For example, in the stable Google Chrome version at the time, in December 2022, the download was visible in the download bar, but in the canary version that introduced a new UI, the download seemed like a glitch being stuck at 0B and not showing the source.

On Microsoft Edge, the Download dropdown menu appeared but nothing was shown on it. In the most recent version, the background download is completely invisible and will continue even when the browser is closed.

“Generally a Service Worker has a limited lifespan, but the PoC [proof-of-concept exploit] bypasses that by creating and aborting background fetches every 20 seconds once the Service Worker is active,” Rabane wrote in her vulnerability report. “If the background fetch is created and aborted fast enough, it won’t show up in the browser UI at all, but will still keep the Service Worker active.”

From the comments in the bug entry, the UI aspects were fixed at some point in January 2023. However, the ability to keep the service worker alive indefinitely by toggling between events would have required a deeper fix, including changing the specification for the API to introduce a hard time limit for quitting the service worker.

The things a malicious website could do via a persistent service worker are limited, but they can be serious, including persistent user tracking, as service workers have access to browser open timestamps, IP addresses, and User-Agent info.

The exploit can also be used to execute remote JavaScript payloads, which can be leveraged in a variety of ways, including to execute potential exploits for future bugs, side-channel attacks, or WebAssemply payloads like crypto miners. It’s also possible to trigger requests to other websites, which could be abused in a distributed denial-of-service scenario if a compromised website is used to hijack thousands of browsers in this way.