Google Accidentally Exposes Details of Unfixed Chromium RCE Flaw Affecting All Chromium‑Based Browsers
What Happened — Google unintentionally released internal details of a long‑standing Chromium vulnerability that allows JavaScript to continue executing after the browser is closed, enabling remote code execution. The flaw, first reported in 2022, remains unfixed in current Chrome Dev and Edge builds despite being marked “fixed” in the issue tracker.
Why It Matters for TPRM —
- The vulnerability can turn any Chromium‑based browser into a stealthy botnet node, exposing downstream SaaS applications to DDoS, traffic proxying, and data exfiltration.
- Vendor‑managed browsers are often deployed in enterprise environments; a mis‑configuration or unpatched client can become a supply‑chain risk.
- Disclosure without a patch gives threat actors a “window of opportunity” to weaponize the flaw before remediation.
Who Is Affected — Technology & SaaS providers, enterprises that standardize on Chrome, Edge, Brave, Opera, Vivaldi, Arc, and any downstream services that rely on client‑side JavaScript execution.
Recommended Actions —
- Inventory all Chromium‑based browsers in use across your organization and verify version levels.
- Apply any available mitigations (e.g., disable Service Workers, enforce strict CSP) while awaiting an official patch.
- Increase monitoring for anomalous outbound traffic from client machines (possible C2 beaconing).
- Engage with browser vendors to obtain timeline for a definitive fix and confirm remediation status.
Technical Notes — The issue stems from a Service Worker that persists after the browser window is closed, allowing attacker‑controlled JavaScript to run indefinitely. No CVE number has been assigned yet; the bug was mistakenly marked “fixed” in the Chromium Issue Tracker but remains exploitable in Chrome Dev 150 and Edge 148. Exploit scenarios include building a large‑scale JavaScript botnet, DDoS amplification, and covert traffic proxying. Source: BleepingComputer