The Web Applications Working Group has published Web Share API as a W3C Recommendation. This specification defines an API for sharing text, links and other content to an arbitrary destination of the user’s choice. The available share targets are not specified here; they are provided by the user agent. They could, for example, be apps, websites or contacts.
While I haven’t read through the spec to see how they deal with this, my immediate thought upon seeing the JS snippets is how spam sites might use it. Similar to a MFA fatigue attack, it seems plausible to me you may use this API to get your spam shared by shoving the share menu on people’s faces repeatedly.
Nah, the share api just pops up the OS share dialog, if the user didn’t want that they can just close it, if they click a share target then when the share target usually asks for another confirmation click. It’s not likely the user will click three times accidentally.