Tor Browser 9.0.7 addresses a flaw that could allow unmasking Tor users

Pierluigi Paganini March 25, 2020

The Tor Project released Tor Browser 9.0.7 that definitively addresses a vulnerability that allowed to execute JavaScript code on sites it should not.

The Tor Project released Tor Browser 9.0.7 that permanently addresses a severe bug that allowed JavaScript code to run on sites it should not.

A couple of weeks ago, the Tor Project announced a major bug in the Tor browser that may cause the execution of JavaScript code on sites for which users have specifically blocked JavaScript.

The development team at the Tor Project announced that it was already working on a fix, and now it has released Tor Browser 9.0.7 that definitively addresses the issue.

The feature that prevents the execution of JavaScript code on specific sites is essential for the privacy-friendly Tor Browser that uses it to prevent online surveillance. Malicious JavaScrip codes could reveal the real IP addresses of Tor users if executed.

Such kind of scripts was also employed in investigations conducted by law enforcement, in 2013, the FBI admitted attack against the Freedom Hosting, probably the most popular Tor hidden service operator company at the time.

The flaw addressed by the Tor Project exists in TBB’s security options. The bug causes the execution of JavaScript code, even when the browser was set up to use the highest security level, the level “Safest”.

JavaScript code could be used for fingerprinting or unmasking Tor users.

The latest version released by the Tor Project disables by default any JavaScript code on non-HTTPS sites visited by the users that have set up the Safest security level. This change could affect users’ workflow if they previously allowed Javascript on some sites using NoScript

this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript.” reads the press release published by the Tor Project. “While you are on “Safest” you may restore the previous behavior and allow Javascript by:

  • Open about:config
  • Search for: javascript.enabled
  • The “Value” column should show “false”
  • Either: right-click and select “Toggle” such that it is now disabled or double-click on the row and it will be disabled.”

This precaution will be adopted until the recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Tor Browser, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment