How a Tiny JavaScript Snippet Can Crash Browsers and Reboot iPhones

Background

A tweet posted by the account CyberSecurity@cyber__sec claimed that a short JavaScript snippet could crash major browsers (Firefox, Chrome, Safari) and even cause an iPhone to restart. The claim was later echoed by another user who posted the same script in a dashed‑box style tweet.

Provided JavaScript Snippet

//使用下面这段JavaScript代码能让firefox，chrome，safari浏览器崩溃，而且还能让iPhone重启。

The tweet also included a second comment with the same description:

//把带有下面这个脚本的链接发给你的朋友，能让你朋友的浏览器崩溃，而且让iPhone重启。

Reproduction Steps

Create an HTML file that embeds the above JavaScript code (the exact payload was shown only as an image in the original post).

Host the HTML file on a web server or serve it locally.

Open the page in a desktop browser (Firefox, Chrome, or Safari). Observe a rapid increase in CPU and memory usage, leading to the browser becoming unresponsive and eventually crashing.

Open the same page on a mobile device (Android Chrome or iPhone Safari). The browser terminates immediately (a “flash‑out”). The same behavior occurs when the link is opened inside Weibo or WeChat webviews.

Observed Effects

Desktop browsers: CPU usage spikes to 100 % and memory consumption grows until the browser hangs and crashes.

Mobile browsers: The browser process exits abruptly; on iPhone Safari the device was reported to reboot after the crash.

Technical Analysis

Community speculation points to a possible history stack overflow or other JavaScript engine bug. The script likely performs an unbounded operation such as repeatedly calling history.pushState or creating an infinite recursion, exhausting the engine’s call stack and triggering a denial‑of‑service condition. Because the crash occurs across multiple browsers, the underlying issue may be a shared component in the JavaScript engine (e.g., V8, SpiderMonkey, JavaScriptCore) that mishandles extreme recursion or memory allocation.

Potential Abuse Scenarios

Embedding the malicious script in a link sent via a man‑in‑the‑middle (MITM) attack to cause target browsers to crash.

Distributing the link on social platforms (Weibo, WeChat, Twitter) to trigger accidental crashes for unsuspecting users.

Open Questions

Is the observed behavior a reproducible bug in the browsers or an undisclosed zero‑day vulnerability?

What exact JavaScript constructs trigger the crash, and can they be mitigated by browser hardening (e.g., limiting history depth or recursion depth)?