How does malware auto-download work?

Hey, i know its probably not right place to ask it but i don’t have any idea where should i ask.

So I’m hearing all of my life that you can get malware just by visiting page, but thats just seems unreal. How can something download to your computer without you interacting? Is it some exploit in browser?

You can use Javascript to auto-download files, however, your browser will typically ask you if you would like the file before you download it. Otherwise, its not possible to instantly get malware by visiting a page, more commonly, a user will be tricked into downloading something nasty by downloading a file they want, etc. pirated movies and software.

Some malware also use something called service workers (run javascript in the background of chrome, so when you close the tab the javascript will still be running) which basically let them track you even when you close the tab and they can see all sorts of information about your computer without you enabling access.

also I believe certain browsers automatically run files after download which combined with auto-download is very concerning. (old edge/IE?)

maybe I getting this mixed up with autoplay for drives