“The attack vector originates from the complete absence of rate limiting on document.title API updates,” Pino wrote in the technical document. “This allows injecting millions of DOM mutations per second, and during this injection attempt, it saturates the main thread, disrupting the event loop and causing the interface to collapse.”
The exploit affects Chromium versions 143.0.7483.0 and earlier. Pino tested 11 browsers across macOS, Windows, Linux, and Android. Nine proved vulnerable: Chrome, Edge, Vivaldi, Arc, Dia, Opera, Perplexity Comet, ChatGPT Atlas, and Brave.
Firefox and Safari emerged unscathed. Both use different rendering engines — Gecko and WebKit, respectively — that don’t share Blink’s architectural flaw. All iOS browsers also escaped because Apple requires them to use WebKit, Pino added in the document.
