A bug in Tor Browser allows execution of JavaScript even in Safest security level

Tor Project maintainers warned users about a severe flaw in the Tor browser that may execute JavaScript code on sites it should not.

The Tor Project announced a major bug in the Tor browser that may cause the execution of JavaScript code on sites for which users have specifically blocked JavaScript.

The development team at the Tor Project announced that it is already working on a fix, but at the time it is not clear when it will be rolled out.

The feature that prevents the execution of JavaScript code on specific sites is essential for the privacy-friendly Tor Browser that uses it to prevent online surveillance. Malicious JavaScrip codes could reveal the real IP addresses of Tor users if executed.

Such kind of scripts was also employed in investigations conducted by law enforcement, in 2013, the FBI admitted attack against the Freedom Hosting, probably the most popular Tor hidden service operator company at the time.

This week, the Tor Project released the Tor Browser version 9.0.6 that features important security updates to Firefox.

The maintainers of the Tor Project announced that they have discovered a bug in TBB’s security options. The bug causes the execution of JavaScript code even when the browser was set up to use the highest security level, the level “Safest”.

“We are aware of a bug that allows javascript execution on the Safest security level (in some situations).” reads the post published by the Tor team. “We are working on a fix for this. If you require that javascript is blocked, then you may completely disable it by:

• Open about:config
• Search for: javascript.enabled
• If the “Value” column says “false”, then javascript is already disabled.
• If the “Value” column says “true”, then either right-click and select “Toggle” such that it is now disabled or double-click on the row and it will be disabled.”

The Tor team confirmed that Noscript 11.0.17 should solve this issue and that the issue is automatically updated by default.

“Automatic updates of Noscript are enabled by default, so you should get this fix automatically.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Tor Browser)

[adrotate banner=”5″]

[adrotate banner=”13″]