The bug tracker entry that comprises the technical particulars was accessible lengthy sufficient to be archived by customers, and a replica will be simply discovered on-line although the unique entry is now set to non-public once more.
The flaw abuses the Service Employee characteristic and the Background Fetch API, which permits web sites to provoke downloads within the background, resembling a video. This characteristic was launched in 2018 and Google stated on the time:
“If the person closes pages to your web site after step 1, that’s okay, the obtain will proceed. As a result of the fetch is very seen and simply abortable, there isn’t the privateness concern of a way-too-long background sync process. As a result of the service employee isn’t continually operating, there isn’t the priority that it may abuse the system, resembling mining bitcoin within the background.”
Rabane discovered that neither of these guarantees are true, at the very least not on all platforms and never on all Chromium-based browsers. For instance, within the steady Google Chrome model on the time, in December 2022, the obtain was seen within the obtain bar, however within the canary model that launched a brand new UI, the obtain appeared like a glitch being caught at 0B and never displaying the supply.
