News

‘Bug lets attacker run JavaScript in Tor Browser 7 despite NoScript’

By admin
Spread the love

Zerodium, a company active as a vulnerability dealer, has warned of a vulnerability in version 7.x of the Tor Browser, which allows JavaScript to run even though the browser is set to block it. NoScript got an update.

Levels in Tor Browser

The company describes the vulnerability in a tweet and reports that “Tor Browser 7.x contains a serious vulnerability that allows bypassing the most secure level of the browser and NoScript.” That is an extension that blocks scripts on web pages by default, where users can apply a whitelist. The Tor Browser allows for different levels of security, with ‘safest’ also blocking JavaScript on all sites. It is unclear whether the company has contacted the Tor Project to report the leak. The organization has not yet responded to the publication.

According to Zerodium, it is possible to exploit the vulnerability by changing the content-type header on a page to: text/html;/json. Therefore, it seems required for an attacker to lure a victim to a malicious page under his control. Security researcher x0rz has tested this proof-of-concept and says it’s easy to apply. He publishes a video on Twitter to support his claim. The corresponding code is on GitHub. He recommends that users update to the recently released Tor Browser 8. It wouldn’t be vulnerable. NoScript Classic has since implemented a patch, to version number 5.1.8.7.

Facebook Notice for EU! You need to login to view and post FB Comments!
You might also like
News

X begins to deploy the audio and video calling function (but only paying users can…

News

EU Council determines position on security requirements for digital products

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Telegram has over 800 million active users and is not yet profitable

News

Brave sells web content as data for AI training

News

Elon Musk: Twitter loses half of ad revenue