A bug in Tor Browser allows execution of JavaScript even in Safest security level

Tor Project maintainers warned users about a severe flaw in the Tor browser that may execute JavaScript code on sites it should not.

The Tor Project announced a major bug in the Tor browser that may cause the execution of JavaScript code on sites for which users have specifically blocked JavaScript.

The development team at the Tor Project announced that it is already working on a fix, but at the time it is not clear when it will be rolled out.

The feature that prevents the execution of JavaScript code on specific sites is essential for the privacy-friendly Tor Browser that uses it to prevent online surveillance. Malicious JavaScrip codes could reveal the real IP addresses of Tor users if executed.

Such kind of scripts was also employed in investigations conducted by law enforcement, in 2013, the FBI admitted attack against the Freedom Hosting, probably the most popular Tor hidden service operator company at the time.

This week, the Tor Project released the Tor Browser version 9.0.6 that features important security updates to Firefox.

The maintainers of the Tor Project announced that they have discovered a bug in TBB’s security options. The bug causes the execution of JavaScript code even when the browser was set up to use the highest security level, the level “Safest”.

“We are aware of a bug that allows javascript execution on the Safest security level (in some situations).” reads the post published by the Tor team. “We are working on a fix for this. If you require that javascript is blocked, then you may completely disable it by:

Open about:config
Search for: javascript.enabled
If the “Value” column says “false”, then javascript is already disabled.
If the “Value” column says “true”, then either right-click and select “Toggle” such that it is now disabled or double-click on the row and it will be disabled.”

The Tor team confirmed that Noscript 11.0.17 should solve this issue and that the issue is automatically updated by default.

“Automatic updates of Noscript are enabled by default, so you should get this fix automatically.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Tor Browser)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.