Disable Background Fetch API (unpatched Chromium vuln, exploit code public) · ungoogled-software/ungoogled-chromium#3791

(0 留言) (0 反應) (0 負責人)Python (18,674 star) (771 fork)batch import

enhancementhelp wanted

描述

Description

How to disable Background Fetch API at build time?

Who's implementing?

I'm willing to implement this feature myself

The problem

Background Fetch in Chromium has a vulnerability that's been public since yesterday (May 20, 2026). Originally reported by Lyra Rebane in late 2022, rated S1 internally, still unpatched ~29 months later. Google briefly published PoC exploit code on their own tracker before pulling it.

How it works: a malicious site registers a service worker that uses Background Fetch to keep a persistent connection open - survives tab close, browser restart, sometimes OS reboot. Turns the browser into a low-capability botnet node (anonymous proxy, proxied DDoS, traffic monitoring). Doesn't cross same-origin boundaries by itself, but stockpiles browsers for when the next vuln drops.

Affects every Chromium-based browser including UC. Firefox and Safari aren't affected - they never shipped the API.

Refs:

https://issues.chromium.org/issues/40062121 (original bug, currently public)
https://infosec.exchange/@rebane2001/116606719764376414 (researcher's note)

Two things:

Is there a way to disable Background Fetch at build time today - e.g. flipping BackgroundFetch in third_party/blink/renderer/platform/runtime_enabled_features.json5, or some existing build flag I missed? If something works, could it get a line in docs/?
Could UC add a --disable-background-fetch switch (and ideally --disable-service-workers for the broader case), with Background Fetch defaulted off? Almost nothing uses it in practice - for typical UC users disabling it by default breaks essentially nothing, and anyone who needs it can flip the flag back. Until upstream ships a fix this looks like the only real user-side mitigation, and it fits the project's "privacy/control over convenience" line.

Possible solutions

Now: recipe for self-builders - how to disable Background Fetch and service workers at build time (files, flags, anything related).
Later: ship it as UC flags (--disable-background-fetch, --disable-service-workers), Background Fetch off by default.

Alternatives

No response

Additional context

No response

貢獻者指南

技術棧: ccpppythonshell
領域: securitybuild systemdesktop
議題類型: security
難度: 4
預計時間: 1-2 days
活動狀態: needs maintainer response
清晰度: clear
前置要求: Chromium build systemC++ basicsunderstanding of runtime features
新手友善度: 20
研究方向: Examine the runtime enabled features.json5 file in third party/blink/renderer/platform/ to see if BackgroundFetch can be disabled via a build flag. Investigate Chromium's command line switch mechanism (e.g., chrome/browser/flag descriptions.cc) to understand how to add disable background fetch. Check if there are existing flags like disable service workers for reference. Also look at the Ungoogled Chromium build scripts (e.g., in build/ or patches/) to see how custom flags are currently applied. The issue has no comments or assignees, so the maintainer should confirm the approach before proceeding.