11 Sep 2018

Zerodium, the company which buys and sells vulnerabilities in software has publicly revealed a critical zero-day flaw in the Firefox based browser, Tor Browser which could reveal your identity to the sites you visit.

Zerodium tweeted by sharing a zero-day vulnerability that exists in the NoScript browser plugin which comes pre-installed with the Mozilla Firefox bundled in the Tor software.

NoScript is a free browser extension that performs a whitelist approach which blocks malicious JavaScript, Java, Flash and other potentially dangerous content on all web pages by default.

According to Zerodium, NoScript “Classic” versions 5.0.4 to 5.1.8.6–with ‘Safest’ security level enabled–included in Tor Browser 7.5.6 can be bypassed to run any JavaScript file by changing its content-type header to JSON format.

This means that a website can exploit this vulnerability to execute malicious JavaScript on victims’ Tor browsers to effectively identify their real IP address.

The zero-day affects only the Tor Browser 7.x series. The latest version of Tor browser, Tor 8.0, which was released recently is not vulnerable to this flaw, as the NoScript plugin designed for the newer version of Firefox (“Quantum”) is based upon a different API format.

The Tor 7.x users are strongly advised to immediately update their browser to the latest Tor 8.0 release.

NoScript has also fixed the zero-day flaw with the release of NoScript “Classic” version 5.1.8.7.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.