While browsing through my system’s list of registered service workers—accessible via edge://serviceworker-internals in Microsoft Edge (or chrome://serviceworker-internals in Chrome)—I was surprised to find numerous entries. Many were from websites I don’t recognize or seemed suspicious. The top entries were service workers for browser extensions, which I left untouched, but I went ahead and unregistered the ones I didn’t recognize or need.
Does anyone know how much of a security risk these can pose? I came across an article titled “The Service Worker Hiding in Your Browser: The Next Web Attack Target?” which touches on potential threats, though I’ve only skimmed it so far.
In the meantime, I’ll continue cleaning up service workers I don’t trust or need. Curious if others are doing the same or have deeper insights on the risks.
According to the article in order for these attacks to succed it required that a website or webapp is supcetible to XSS attack. Why because IndexedDB and Push subscriptions uses Same-Origin Policy, so another website will not be able to change your website IndexedDB or Push subscriptions unless it is a local javascript hence XSS attack run as local javascript.
Another thing to happend for IndexDB attack is this:
if ( regex.test( url )) {
importScripts ( url );
Where the url was read from a value in IndexDB. If importScripts was not there then there is not problem. But if it there they suggest to do better input validation, that the regex is not enough.
As you can see the problem if we website or webapp that we visit that have XSS problems, inproper input validation, etc.
So, unless you are looking inside every website you visit to check for vulnerabilities, it is out of our hands
You’re absolutely right to be cautious. Service workers are powerful—they can run in the background, cache data, and even intercept network requests. While most are harmless and improve performance (like enabling offline support), malicious or poorly coded ones could theoretically be used for tracking or injecting scripts, especially if tied to shady sites or compromised third-party resources.
Unregistering service workers you don’t recognize is a smart move especially if they’re not tied to extensions or trusted sites. Just be careful not to remove essential ones that support websites or apps you use frequently.
You’re on the right track with regular checks. Stay safe and sharp!
Great observation—yes, service workers can pose security risks if misused. Though meant for helpful tasks like caching and push notifications, malicious ones can persist, run background scripts (like cryptojacking), or inject unwanted content.
You’re right to remove unknown entries. Regularly checking edge://serviceworker-internals and cleaning up suspicious service workers is a smart habit. Tools like uBlock Origin can help prevent shady registrations, too.
