A zero-day vulnerability for Tor browser was revealed yesterday on Twitter by Zerodium — a company that buys and sells exploits in software.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
However, this bug can be exploited in Tor Browser 7.x only and the recently released Tor Browser 8.x is unaffected by this bug.
The reason behind it is the change of Tor’s codebase from the older Firefox core to the new Firefox Quantum platform. The new add-on API’s in it protects version 8 from this vulnerability.
Besides the NoScript add-on was rewritten last year to make it compatible to the new Firefox Quantum platform. This is why the zero-day exploit in question does not work on the new Tor Browser 8.x series.
Following the revelation by Zerodim, a latest NoScript “Classic” version 22.214.171.124 has been released by the company to stop the zero-day’s exploitation vector.
I said FIXED, guys 🙂
Get 126.96.36.199 here:https://t.co/0h5BHFexTw
— Giorgio Maone (@ma1) September 10, 2018
Meanwhile, Tor Project has issued an official statement to ZDNet:
“It is a bug in NoScript and not a zero-day exploit of Tor Browser that circumvents its privacy protections. For bypassing Tor, a real browser exploit would still be needed.”
Nevertheless, it is advisable for Tor users to either install the NoScript update or switch to Tor Browser 8.x for better security.