Google Accidentally Publishes Unpatched Chromium Vulnerability PoC—Your Browser Could Be Hijacked

42‑Month "Sleeping" Vulnerability

Independent security researcher Lyra Rebane reported the flaw to Google at the end of 2022, but the bug remained untouched in Chromium’s codebase for 42 months. The issue resides in the Browser Fetch API, where Service Workers can be abused to create a hidden, persistent back‑door channel.

Technical Mechanism: How Fetch Becomes a Backdoor

The exploit repeatedly starts and aborts a background fetch every 20 seconds, bypassing the normal Service Worker lifecycle and keeping it alive indefinitely. When the creation and termination happen quickly, the browser shows no download prompt or UI indication, making the activity invisible to the user.

On Edge, an empty download dropdown appears, while the latest Chrome suppresses any UI, leaving the user unaware that their browser has become part of a botnet.

What an Attacker Can Do

Persistent Remote Code Execution : Load remote JavaScript payloads via the always‑alive Service Worker to run arbitrary code in the victim’s browser.

Build a Botnet : Recruit millions of devices silently, using them for anonymous browsing, DDoS traffic, or cryptocurrency mining.

User Tracking : Harvest browser start time, IP address, and User‑Agent to construct long‑term user profiles.

Facilitate Lateral Exploits : Combine the backdoor with future vulnerabilities for mass compromise, as Rebane warned.

Scope of Impact

The affected browsers include, but are not limited to:

Google Chrome

Microsoft Edge

Brave

Opera

Vivaldi

Arc

In short, any Chromium‑based browser could be vulnerable unless explicitly exempted.

Firefox and Safari remain safe because they do not implement the “eternal” Browser Fetch feature.

Why Was It Unfixed for 42 Months?

"I think the problem is that this bug doesn’t break any existing security boundaries, so it won’t let an attacker access your mail or computer directly. That’s probably why the team didn’t grasp its severity and kept postponing it," Rebane told Ars Technica.

In plain terms, the vulnerability was deemed low priority because it alone does not devastate a user’s system.

However, the backdoor can be combined with future exploits, amplifying its impact exponentially and enabling attackers to amass a silent army of compromised browsers ready for a one‑click takeover.

Mitigation Recommendations (Before a Patch Arrives)

Watch for Odd Download Prompts : An unexpected download dropdown with no actual file may indicate exploitation.

Disable Service Workers : In Chrome’s site settings, you can manually turn off JavaScript or restrict Service Worker permissions, though this may break some site functionality.

Keep the Browser Updated : Even without a specific fix, staying on the latest version reduces exposure.

Monitor the Download Manager : Regularly review download history for unknown background tasks.

Long‑term, Chromium users should remember that their browsers are powerful tools that can also become powerful attack surfaces.

Conclusion

Google’s accidental disclosure of the PoC turned the security community’s attention to a long‑neglected flaw, highlighting that even top tech companies can falter in vulnerability management. When a seemingly minor bug lingers, its risk can silently climb, underscoring the need for vigilant security habits.