Critical JavaScript vulnerability in Tor browser is fixed; update your Tor implementation

Users don’t expose just their privacy when browsing the Internet. A group of computer forensics researchers revealed the finding of a flaw in the Tor browser that could have allowed JavaScript to run on any website, even if users had disabled it to fully exploit the anonymity provided by this tool.

During the release of version 9.0.6, The Tor Project managers announced that the flaw was corrected; however, it is strongly recommended that browser users disable JavaScript manually to fully mitigate this error.

The team behind Tor performed an extensive review of NoScript, a browser extension used to control the execution of JavaScript, Java, Flash and other plugins; this extension was also updated (version 11.0.17). According to computer forensic experts, users could be affected by this flaw depending on the configuration of their Tor implementation to deal with JavaScript.

Tor has JavaScript enabled by default, although users have two options for modifying it:

  • “safer”, to disable JavaScript on sites without HTTPS
  • “safest” to disable JavaScript completely

Researchers mention that leaving the plugin enabled leaves users exposed to the anonymity provided by Tor being compromised in some scenarios, for example, in case a threat actor uses some vulnerability in the underlying browser Firefox.

On at least two previous occasions incidents of exploitation of this scenario have been reported, so Mozilla released patches to prevent incidents in real-world scenarios. It should be noted that multiple Sites that rely on JavaScript might collapse if you disable it completely.

Computer forensics researchers mention that the latest Tor update primarily affects users who have the “safest” setting, because under some circumstances disabling JavaScript might not work; in their report, browser maintainers specify that the extension will be updated automatically.

For more information on recently encountered security flaws, exploits, cyberattacks, and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), as well as the official sites of tech companies.