Research

Study finds built-in browsers across gadgets often ship years out of date

Web browsers for desktop and mobile devices tend to receive regular security updates, but that often isn't the case for those that reside within game consoles, televisions, e-readers, cars, and other devices. These outdated, embedded browsers can leave you open to phishing and other security vulnerabilities.

Researchers affiliated with the DistriNet Research Unit of KU Leuven in Belgium have found that newly released devices may contain browsers that are several years out of date and include known security bugs.

In a research paper [PDF] presented at the USENIX Symposium on Usable Privacy and Security (SOUPS) 2025 in August, computer scientists Gertjan Franken, Pieter Claeys, Tom Van Goethem, and Lieven Desmet describe how they created a crowdsourced browser evaluation framework called CheckEngine to overcome the challenge of assessing products with closed-source software and firmware.

The framework functions by providing willing study participants with a unique URL that they're asked to enter into the integrated browser in the device being evaluated. During the testing period between February 2024 and February 2025, the boffins received 76 entries representing 53 unique products and 68 unique software versions.

In 24 of the 35 smart TVs and all 5 e-readers submitted for the study, the embedded browsers were at least three years behind current versions available to users of desktop computers. And the situation is similar even for newly released products.

"Our study shows that integrated browsers are updated far less frequently than their standalone counterparts," the authors state in their paper. "Alarmingly, many products already embed outdated browsers at the time of release; in fact, eight products in our sample included a browser that was over three years obsolete when it hit the market."

According to KU Leuven, the study revealed that some device makers don't provide security updates for the browser, even though they advertise free updates.

The researchers cited several case studies that assessed the exploitability of devices with outdated browsers. The Boox Note Air 3 e-ink tablet, released in January 2024, for example, ships with the NeoBrowser, which is based on Chromium 85, released in August 2020.

"Notably, across four software updates, the integrated browser remained unpatched," the researchers said, adding that the company lacked a security reporting channel and that support staff misrepresented the resolution of the problem. As a result, the authors reported the matter to the EU regulatory authorities.

In December 2024, the EU Cyber Resilience Act came into force, initiating a transition period through December 2027, when vendors will be fully obligated to tend to the security of their products. The KU Leuven researchers say that many of the devices tested are not yet compliant.

The authors also looked at gaming applications that include an embedded browser: Steam, Ubisoft Connect, and AMD Adrenalin.

The Steam enrollments submitted through the CheckEngine framework included two browsers based on Chromium 109, from January 2023, and one that used Chromium 126, from June 2024. The researchers said that while they could not reproduce any of the three known vulnerabilities tested, they found that they could spoof the origin of alert boxes in the older versions.

"Here, by exploiting an open redirect – previously discovered for a Steam domain – an attacker could craft a URL that triggers an alert box appearing to originate from a legitimate domain, which is useful for phishing attacks," the researchers said.

Ubisoft Connect's embedded browser, based on Chromium 109, also didn't yield to known vulnerabilities due to a limitation that did not allow the opening of new tabs or windows, but the authors did find the browser came configured with the --no-sandbox flag, which raised the risk of privilege escalation attacks.

With AMD Adrenalin, the KU Leuven researchers reproduced the address bar spoofing vulnerability in its Chromium 112-based browser from April 2023. AMD, they said, acknowledged the issue and was working on a fix at the time they initially presented their findings.

The authors put some of the blame on development frameworks like Electron that bundle browsers with other components.

"We suspect that, for some products, this issue stems from the user-facing embedded browser being integrated with other UI components, making updates challenging – especially when bundled in frameworks like Electron, where updating the browser requires updating the entire framework," they said in their paper. "This can break dependencies and increase development costs."

But in other cases, they suggest the issue arises from inattention on the part of vendors or a choice not to implement essential security measures.

While they suggest mechanisms like product labels may focus consumer and vendor attention on updating embedded browsers, they conclude that broad voluntary compliance is unlikely and that regulations should compel vendors to take responsibility for the security of the browsers they embed in their products. ®