Zerodium recently reported the discovery of a new zero-day exploit in Tor browser. The same exploit vendor earlier this year offered $1 million for submitting such an exploit for Tor browser. The new Tor zero-day could reveal the identity of the websites visited by the user.
Zerodium Reveals Tor Browser Zero-Day in a Tweet
Тhe exploit vendor reported the flaw and gave instructions on how it can be reproduced in a tweet posted on Monday. It appears that the recently released Tor Browser 8 is not affected by the zero-day:
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all JS). PoC: Set the Content-Type of your html/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is not affected.
Fortunately, the latest version of Tor is not affected by this vulnerability, simply because the NoScript plugin for the Quantum version of Firefox is based upon a different API format. However, users running Tor 7.x are urged to update the browser as soon as possible to the latest release to avoid any compromise.
Finally, NoScript was notified about the issue and fixed the flaw with the release of NoScript “Classic” version 126.96.36.199.