TBB3.5's NoScript allows addons.mozilla.org even when scripts are globally forbidden
Hi
There's a bug in NoScript: If the user clicks on "Forbid Scripts Globally", scripts are disabled, except for one site: addons.mozilla.org. This site was automatically added to the NoScript whitelist.
Note that this bug has security implications - a malicious exit node can redirect the user to addons.mozilla.org and then return any fake data (including some 0-day javascript exploit) as content of addons.mozilla.org. Thus, the user is vulnerable to javascript exploits, even if the user disables javascript by clicking on "Forbid Scripts Globally".
There are other URLs in the whitelist, starting with about:, blob:, chrome:, resource: - they are hopefully not exploitable, but you should it check anyway - can, for example, some malicious site redirect the user to one of these whitelist URLs and use cross-site-scripting to run some javascript? I don't know.
Please patch the NoScript add-on in the Tor Browser Bundle, so that it has empty whitelist.
Trac:
Username: torar