Version 3.0.7 of the Securly Chrome Extension is able to register a content script named content13.min.js at runtime using chrome.scripting.registerContentScripts(). The script is not declared in the extension's manifest.json, thereby evading the Chrome Web Store static security review. Once registered, the script runs on every URL, hides all page elements, overlays a full‑page cover, pauses videos, and only restores content after a service‑worker check confirms the page passes filtering. If the Securly servers are unreachable, the overlay remains and the page stays hidden indefinitely, effectively preventing the user from accessing any web content.

Any user who has installed Securly Chrome Extension version 3.0.7 on Chrome, regardless of operating system or device type, is affected. Each browser instance where the extension is enabled experiences the denial of content. The impact applies globally to all web traffic passing through the extension’s filtering service.

The CVSS score is 7.5 and the EPSS score is < 1%. The vulnerability is locally exploitable once the extension is present; no remote access or additional prerequisites are required. The likelihood that the outage will occur is tied to the Securly service availability. The risk remains high in environments where that service is critical, as the attack vector is a locally installed extension that can block all content.