The Tor Project released Tor Browser 9.0.7 today with a permanent fix for a bug that allowed JavaScript code to run on the Safest security level in some situations while using the previous Tor Browser version.
Since Tor Browser users are relying on its security features to anonymously browse the Internet, having their identity exposed by a JavaScript that could be used for fingerprinting or unveiling their true location defeated the browser’s private browsing promise without tracking, surveillance, or censorship.
After updating to the latest version, all JavaScript code is again disabled automatically on non-HTTPS sites while browsing the web with the Tor Browser on the Safest security level.
“If you browse on Tor Browser’s “Safest” security level: This release disables Javascript,” the Tor Project team tweeted. “This may change your workflow if you previously allowed Javascript on some sites using NoScript.”
“We’re taking this precaution until we’re confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.”
While users were recommended to follow toggle off the javascript.enabled flag within the browser’s about:config dialog when Tor Browser 9.0.6 was released, the NoScript 11.0.17 update that automatically applied to all users was supposed to have fixed the bug.
But user reports later said that the extension update didn’t fully mitigate the issue which, again, could have led to some users’ info being accidentally leaked and potentially deanonymizing them.
The release of Tor Browser 9.0.7, however, now disables Javascript for the entire browser when the Safest security level is selected as it should.
While on the Safest security level, users can restore the previous behavior and allow JavaScript by following this procedure:
1. Open about:config
2. Search for: javascript.enabled
3. The “Value” column should show “false”
4. Either: right-click and select “Toggle” such that it is now disabled or double-click on the row and it will be disabled.
“We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability,” the Tor team explains.
This is not the first bug that could have been used to unmask Tor Browser users, with information exposure vulnerabilities being patched in the past by the Tor Project team to block attackers from bypassing the browser’s anonymity features and discover the client’s IP address, their language, or their UI locale.