[tor-bugs] #33814 [Applications/Tor Browser]: Concerns about recent bug that allowed JavaScript to run in Tor Browser, even in the "safest" security setting

Tor Bug Tracker & Wiki blackhole at torproject.org
Sun Apr 5 00:11:17 UTC 2020 

#33814: Concerns about recent bug that allowed JavaScript to run in Tor Browser,
even in the "safest" security setting
------------------------------+------------------------------------------
 Reporter:  Tor235            |          Owner:  tbb-team
     Type:  defect            |         Status:  new
 Priority:  Very High         |      Component:  Applications/Tor Browser
  Version:  Tor: unspecified  |       Severity:  Critical
 Keywords:                    |  Actual Points:
Parent ID:                    |         Points:
 Reviewer:                    |        Sponsor:
------------------------------+------------------------------------------
 I have concerns regarding the recent bug that allowed JavaScript to run in
 Tor Browser even in the "safest" security setting (i.e. JavaScript wasn't
 disabled).

 Throughout the past few months, I have been using Tor Browser (set to the
 "safest" security level), and I'm worried that my real IP address may have
 leaked due to this JavaScript bug. The Tor website says, "We are aware of
 a bug that allows javascript execution on the Safest security level (in
 some situations)." What situations is the Tor team referring to? I always
 have the Tor Browser's security level set to the "safest" setting, without
 exception -- does that mean that JavaScript was blocked at all times, even
 when the bug was present?

 The reason I'm wondering what situations / circumstances would've enabled
 JavaScript (in the "safest" security setting) (when the bug was present)
 is because I want to know if I ended up in any of those situations, and
 also how to avoid those situations in the future (should another bug
 occur).

 As was said in a different ticket, at around the same that Tor Browser
 9.0.6 was released, I got an error message in the NoScript icon in Tor
 Browser -- the error message said, "In order to operate on this tab,
 NoScript needs to reload it. Proceed?" Now that I know there was a bug
 present around this time (mid-March 2020), I'm wondering if that error
 message was related to the JavaScript bug -- I'm also wondering if that
 error message would've allowed JavaScript to run (even in the "safest"
 security setting) and potentially leak my real IP address.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33814>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list