AnAI browser is aweb browser with integratedartificial intelligence capabilities, such as automatically summarizingweb page content or answering questions about it. A more specialized type is anagentic browser, based on the concept ofagentic AI, which can take actions – such as navigating webpages or filling outforms – on behalf of the user.[1][2]
As of 2025, this is a recent development in the browser market, including new entrants fromOpenAI,Opera andPerplexity.[6][7] The designation of 'AI browser' also includes established browsers that later added non-agentic AI features, such asMicrosoft Edge with theCopilot chatbot,[8]Google Chrome with theGeminichatbot (for Windows desktop users in the US with their language set to English),[9] andFirefox with multiple chatbot providers (such as ChatGPT,Claude, Copilot, Gemini, and Le Chat).[10]
Rather than creating entirely new browsers, some AI browsing solutions integrate with existing browsers through extensions or companion applications. These tools add agentic capabilities to established browsers without requiring users to switch platforms. Examples include Composite, which functions as a cross-browser agent that works with Chrome, Edge, and other browsers to automate web-based tasks for workers.[11][12][13]
Cloud-based implementations of AI browsers allow users to run automated browsing agents without local installation. These systems operate on remote servers using frameworks such as Puppeteer orPlaywright. Examples include Browserbase,[14] Browser-use and AI Browser.[15] The AI typically parses the Document Object Model (DOM)[16] to locate and interact with page elements, and may also analyze browser screenshots to interpret layout and structure.[citation needed]
AI browsers have been noted to be susceptible to being vulnerable toprompt injection attacks, in which the content of websites can be used to hijack the control of the browser. Multiple organisations have argued against using AI browsers due to this vulnerability.[17] The United Kingdom national cyber security centre and Gartner consider them to be too risky for adoption by most organisations.[18][19]
^Greshake, Kai; Abdelnabi, Sahar; Mishra, Shailesh; Endres, Christoph; Holz, Thorsten; Fritz, Mario (5 May 2023). "Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection".arXiv:2302.12173 [cs.CR].