The developer opened a link from a Discord channel where colleagues were talking about a new build tool. He clicked nothing, typed nothing, downloaded nothing. The page didn't render right, something about a stale font. Five minutes later his laptop reported unusual process activity. In the few hundred milliseconds of rendering, the page had exploited a memory bug in the WebGL renderer.
Drive-by downloads are the stealthiest attack class in the browser. They require no interaction. The victim opens the page and the exploit is already working. What used to run through ActiveX controls in the early 2000s now exploits bugs in JavaScript engines, WebGL, WebAssembly, and media decoders. Modern browsers are more robust, but the attack surface is a lot bigger.
Why no click is needed
The browser isn't a simple page renderer. It's a full runtime that lets any loaded page execute JavaScript, push graphics to your GPU, decode video streams, and run WebAssembly binaries locally. All of that happens automatically the moment HTML reaches the parser.
A drive-by download exploits exactly that pipeline. A bug in the JavaScript engine that lets an array index drift past its bounds, a race condition in a Canvas API, a malformed video frame triggering a memory overflow, these are all entry points. The browser runs the exploit code because it's page content, not because you approved anything.
The browser's sandbox catches many attempts. The really dangerous ones are chained exploits: a JavaScript engine bug gives arbitrary memory access, a second bug breaks the sandbox, a third elevates privileges to system level. These chains cost attackers money but reliably end up in large-scale campaigns.
Where modern exploits hit
JavaScript JIT. Modern engines like V8 and SpiderMonkey compile hot functions to machine code at runtime. Bugs in the JIT compiler produce incorrect code that the browser runs with full privileges. Most of the exploited browser bugs in recent years come from this layer.
WebGL and WebGPU. Shaders go unfiltered to your GPU. Graphics drivers have a long history of bugs, and WebGL exploits are a proven route out of the browser sandbox.
Media decoding. Video and audio codecs process huge input spaces in C or C++. Memory corruption in a codec often means direct code execution. The famous 2023 BLASTPASS exploit against iMessage was an image parser, but the same class of problems exists in the browser.
WebAssembly and Web Workers.Parallel threads with their own memory model are convenient, and a further surface on which memory bugs are exploited.
How the page reaches your screen
Drive-by pages don't sit in a vacuum; they're delivered. The three dominant channels are malvertising, watering hole attacks, and compromised legitimate sites.
Malvertising is the cheapest channel. The crafted page lives inside the iframe of an ad banner and catches anyone who loads the host page. For more on that, see Malvertising: When the Ad Is the Attack. Watering hole attacks are more targeted. The attacker compromises a site the target audience frequents (an industry news site, a developer doc, a shared forum) and implants the exploit there.
The third variant is a directly compromised legitimate site. A hacked WordPress plugin, a stolen CDN account, or a twisted build hook is enough to inject scripts into a trusted site. Visitors have no way to tell the difference.
The window between patch and rollout
Chrome, Firefox, and Safari patch critical bugs within days. The updates only reach you when your browser fetches and restarts, however. On desktop that typically takes 24 hours; on Android it can take weeks; on managed enterprise environments it can stretch to a month depending on the rollout window.
Attackers know this window precisely. They wait for disclosure, diff the patch for its real change, and build an exploit within hours. For a short but very lucrative period, the public is knowingly vulnerable. Even in a well-managed environment, you're exposed during those hours.
Auto-updates help, not fully. A browser that hasn't been restarted for five days runs the old build, even if the patch was downloaded long ago.
Containment, not avoidance
You can't reliably avoid drive-by downloads and still use the web. The assumption that trusted sites are safe doesn't hold up, because ad networks, supply chain attacks, and zero-days hit even the most trusted. The answer shifts from avoidance to containment.
An isolated browser session still takes the exploit seriously but hits an environment that isn't your operating system. The payload lands in a container that gets thrown away after you. Your laptop stays clean. Combined with a fast update cadence on your everyday browser and the realization that unknown links don't need to open on your production machine, your real risk shrinks sharply. For more on the zero-day cycle, see Zero-Day Exploits.
Ready to unlock desktop power on any device?
Try Browser.lol free and experience true mobile productivity.
Start Your Desktop BrowserNo downloads required • Works on any device
