[tbb-bugs] #22974 [Applications/Tor Browser]: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 19 09:15:29 UTC 2017

#22974: NoScript (and Tor Browser) vulnerable to Mozilla Add-On Code Execution
 Reporter:  tom                       |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by gk):

 Replying to [ticket:22974 tom]:
 > 3) In 59, when Web Extensions are around this won't be as big of a
 concern. Mozilla can't get code execution but could neuter the effect of
 an add-on or turn it into spyware (assuming we keep extension updating in
 place). Whether web extensions will support an updateKey mechanism is an
 open question (they don't now, EFF wants it. Tor might wish to lend
 support to the argument. If Tor could get another partner repack to join
 in that would help even more I bet.)

 To be honest I am not sure whether we as Tor should push for that. On one
 hand that allows to add an extra layer of security which is a good thing
 for all Firefox users but on the other hand do we want to get rid of
 extension update pinging and extension updating via AMO in our default Tor
 Browser configuration as a result of the HPKP fiasco (see #20146).

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22974#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list