Google has launched Chrome 63 for Windows, Mac, and Linux. Additions in this release include dynamic module imports, async iterators and generators, Device Memory API, among other developer features. You can update to the latest version now using the browser’s built-in silent updater or download it directly from

Chrome is arguably more than a browser. With over 1 billion users, it’s a major platform that web developers have to consider. In fact, with Chrome’s regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available.

First up, the addition of dynamic module imports means the import(specifier) syntax now allows developers to dynamically load code into modules and scripts at runtime. This can be used for lazy-loading a script only when it’s needed — importing JavaScript modules was completely static until now, meaning developers could not import modules based on runtime conditions.

Async generator functions can help developers streamline the consumption or implementation of streaming data sources, while async iterators can be used in for loops and also to create custom async iterators through async iterator factories. This should lead to more elegant code — see the async iteration proposal for more information.

Chrome 63 also implements the Device Memory API, which helps developers create one user experience that can work across all devices. This new API uses the total RAM on a user’s machine to provide insights into device constraints and tailors content at runtime in accordance with hardware limitations. Developers can use it to serve a “lite” app to users on low-end devices or to add context to metrics, such as the amount of time a task takes to complete in JavaScript.

Developers will also want to know that Chrome 63 includes an update to the V8 JavaScript engine: version 6.3. You can expect speed improvements, slightly lower memory consumption, and new ECMAScript language features. Check out the summary of API changes for more information.

Chrome 63 was supposed to add a new option to completely disable audio for individual sites. It doesn’t appear to be included for whatever reason, but we’ll update you if that changes.

Other developer features in this release (some are mobile-specific):

For what’s new in the browser’s DevTools, check out the release notes.

Chrome 63 also implements 37 security fixes. The following ones were found by external researchers:

  • [$10500][778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson on 2017-10-26
  • [$6337][762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu of Tencent’s Xuanwu LAB on 2017-09-06
  • [$5000][763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous on 2017-09-11
  • [$5000][765921] High CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-16
  • [$5000][770148] High CVE-2017-15411: Use after free in PDFium. Reported by Luật Nguyễn (@l4wio) of KeenLab, Tencent on 2017-09-29
  • [$3500][727039] High CVE-2017-15412: Use after free in libXML. Reported by Nick Wellnhofer on 2017-05-27
  • [$500][766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan(@007gauravdewan) of Adobe Systems India Pvt. Ltd. on 2017-09-19
  • [$3337][765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15
  • [$2500][779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson on 2017-10-28
  • [$2000][699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia . Reported by Max May on 2017-03-07
  • [$1000][765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal Arvind Shah of Fortinet’s FortiGuard Labs on 2017-09-15
  • [$1000][780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-10-31
  • [$500][777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-10-23
  • [$TBD][774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13
  • [$500][778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by Greg Hudson on 2017-10-25
  • [$N/A][756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani on 2017-08-16
  • [$N/A][756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr of Tencent’s Xuanwu Lab on 2017-08-17
  • [$N/A][756735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu of Tencent’s Xuanwu Lab on 2017-08-18
  • [$N/A][768910] Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. Reported by Junaid Farhan ( on 2017-09-26
  • [792099] Various fixes from internal audits, fuzzing and other initiatives

Google thus spent at least $46,674 in bug bounties for this release. As always, the security fixes alone should be enough incentive for you to upgrade.

Google releases a new version of its browser every six weeks or so. Chrome 64 will arrive by late January.

In related news, Google released Chrome 63 for Android yesterday. In addition to performance and stability fixes, you can enjoy improvements to autocompletion in the address bar and permission requests presented as modal dialogs (which Google claims reduces the overall number of permission prompts by 50 percent).