Also please note that if you visit the added link directly, it won't position it below the Windows bar in attempt to conceal it, the popup by its default scripted behaviour did but I failed to screenshot that before I moved the tab to close/inspect it, as when I drawn it into sight I was yet to find out what it was.

If you visit that link directly also, and watch Task manager in Windows, you will notice Chrome process starts using CPU intensively, which means it's cryptomining for these criminals.

Adam, thoughts here ? Is this WontFix ? 

Please feel free to dupe to Issue 766068.

(Oh, and the "hidden" window positioning part of this to Issue 467329).

@elawre I would rather suggest merging it instead (or duping and unlocking for non-security bug viewers) as this is the first practical case being detailed on how that vulnerability gets exploited. 

Also please note the script I reported here, raises CPU usage to only around 35% so it's more stealth for the creators not to alert the PC user something is going on without their consent. Besides that, issue 766068 may not realistically portray the dangers of having this problem unpatched, while my entry makes sense of it, issue 766068 is generalizing high JS script usage only.

The script ran by the page I referred is also of such advanced level (the code) that it can even be called web-ran malware instead. That other issue only gives examples of generic JS misuse that renders the browser unusable by 100% CPU usage, while this is designed to persist.

An situation where the now clearly web-ran malware is allowed to be executed and achieve malicious goals of its malware creators, cannot be united with a browser like Chrome used by unsuspecting PC users, as Chrome allows unmetered access to that person's computer hardware for criminal profitmaking/mining purpose without their consent (but in this case of the clever script also limiting CPU usage, also without their knownledge or direct clue to investigate for them)

Hiding a popup window is bad. As noted that's Issue 467329.

We cannot, realistically, fingerprint and block this pattern of computation: web sites will be able to outrun us by mutating the code. Blocking the loading of these scripts is thus something for extensions.

If this becomes too common, it might be something that the UI team needs to think about in order to better communicate to users which sites are taking CPU time. We have the Task Manager but it's (deliberately) a little obscure for regular users.

So I believe that this is a wait-and-see issue and not immediately actionable.

'If this becomes too common' - like the other issue reporter mentioned;

https://www.google.com/search?q=coinhive+ads+malware


https://www.theguardian.com/technology/2017/sep/27/pirate-bay-showtime-ads-websites-electricity-pay-bills-cryptocurrency-bitcoin
https://www.theregister.co.uk/2017/09/25/showtime_hit_with_coinmining_script
https://www.bleepingcomputer.com/news/security/coinhive-is-rapidly-becoming-a-favorite-tool-among-malware-devs/
https://blog.malwarebytes.com/threat-analysis/2017/09/drive-by-mining-and-ads-the-wild-wild-west/

If you don't think its seriously becoming common abusive practice already, then it has to be closely watched.

Also for that reason of the need for monitoring, can you unlock the issue's perms so it can be viewed by any contributor?

Absolutely, no reason for this to be restricted.