Brave and Microsoft Edge Patch Chromium Flaw That Lets Malicious Scripts Survive Browser Restarts
Brave and Microsoft Edge have released security updates to fix a Chromium vulnerability that allowed malicious websites to plant hidden scripts capable of surviving browser restarts.
The flaw centers on the Background Fetch API — a browser feature that lets web apps retrieve resources in the background — which attackers could exploit to embed scripts without a user’s knowledge.
Left unpatched, those scripts could enable user tracking, execute malicious code on a target machine, or recruit devices into distributed denial-of-service (DDoS) attacks against third parties.
Brave Patches the Flaw, Adds Wallet Fixes
Brave’s desktop update, version 1.90.128, addresses the Background Fetch API bug directly alongside two separate wallet security fixes.
Developers patched a wallet provider binding issue flagged by a researcher identified as shinchan_69, and updated the wallet interface to better handle “Permit”-type warnings in the “Sign” panel, a fix credited to researcher syarif07. Both researchers reported the vulnerabilities through HackerOne, a bug-bounty platform used by security teams to receive and triage external vulnerability reports.
The update also bumps the underlying Chromium engine to version 148.0.7778.217.
Desktop users should receive the patch automatically. Still, users can force the update immediately by navigating to Settings > About Brave.
Android users face a short wait, as the build sits pending review in the Google Play Store.
Edge Follows With Maintenance Release
Microsoft Edge separately rolled out version 148.0.3967.96 to its Stable channel, folding in the same Chromium security patches.
The Edge release carries no new features — it functions purely as a maintenance update targeting the underlying engine vulnerabilities.
Both browsers run on Chromium, the open-source browser engine maintained primarily by Google, which means a flaw in the shared codebase can affect multiple browsers simultaneously until each vendor ships its own patched build.
‘Soon’: Brave Hints at Larger Update Ahead
The security release drew community attention beyond the patch itself, with users asking about a forthcoming feature update called the Origin release in Brave’s announcement thread.
Brave’s official account responded with a single word: “Soon.”
The company offered no further timeline. Brave, founded in 2015 by Mozilla co-founder Brendan Eich, positions its browser around privacy features including built-in ad blocking and tracker blocking by default.
