Tor team warns of Tor Browser bug that runs JavaScript on sites it shouldn't

Tor team says it's working on a fix, but has no timeline.
Written by Catalin Cimpanu, Contributor
Image: Tor Project

Updated on March 15 to add that through an update to the NoScript extension (v11.0.17), this issue has been fixed. Original article below.

The Tor Project warned users yesterday about a major bug in its browser that may execute JavaScript code on sites that users have specifically blocked JavaScript from running.

Tor developers said they are working on a fix; however, they did not provide a timeline for a patch.

The ability to block JavaScript code execution is a crucial security feature of the Tor Browser Bundle (TBB), a browser with enhanced privacy-preserving features that also masks real IP addresses (locations) to keep users anonymous online.

Because of these features, the browser is often used by journalists, political activities, and dissidents in oppressive countries, as a way to skirt firewalls and online censorship.

In the past, there have been exploits that used JavaScript code to unmask a Tor Browser user's real IP address. Some have been used to target and unmask criminal activities [1, 2], while others were used in mysterious circumstances [1, 2].

Yesterday, the Tor team said they found a bug in TBB's security options. When the browser was configured to use the highest security level (called "Safest"), it still allowed JavaScript code to execute, even if it should have blocked it.

Image: ZDNet

"We are aware of a bug that allows JavaScript execution on the Safest security level (in some situations)," the Tor team said.

"We are working on a fix for this. If you require that JavaScript is blocked, then you may completely disable it."

To completely disable JavaScript execution in the Tor Browser, the Tor team provided the following instructions:

  • Open about:config
  • Search for: javascript.enabled
  • If the "Value" column says "false", then JavaScript is already disabled.
  • If the "Value" column says "true", then either right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

All the Chromium-based browsers

Editorial standards