NoScript leaks browser locale if objects are blocked and JavaScript is allowed
If one customizes NoScript in a way that objects are blocked and JavaScript is enabled then the browser locale is leaked even if the user opted in in hiding it. This issue got reported to our HackerOne bug bounty program by ryotak, thanks!
A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.
Activity
Replying to gk:
A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.
Thanks, this seems a broken link though.
Replying to ma1:
Replying to gk:
A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.
Thanks, this seems a broken link though.
You mean because it gives you a "404 Not Found" page? That's part of the PoC and comes from the
test.htmlfile. You'll see the PoC in action if you drag the NoScript icon to the toolbar and customize it by making sureobjectis blocked while JavaScript is still allowed.-
Replying to ma1:
Thanks, I can see it now. I could devise some work-around, but the underlying issue IMHO is that browser.i18n.getMessage() in WebExtensions' content scripts should use whatever fake locale ("en", I guess) you choose as fingerprinting-resistant and exposed to content, isn't it?
Yes, I think so. We should probably have a Firefox patch for that given that this is a general problem. Given that this is only exposed in a non-standard Tor Browser configuration I think we have more important NoScript related issues in our bug tracker to deal with (which is, of course, not meant as an argument against a work-around ;) ).
Replying to gk:
I want to tell you something in HackerOne thread that related to this bug. Tor Browser is vulnerable to this attack in supported settings. Can you look into it please?
Note: Tor Browser is not vulnerable to this attack in any of the supported default settings (that is on any of the security settings levels).
Trac:
Username: RyotaK-
Replying to RyotaK:
Replying to gk:
I want to tell you something in HackerOne thread that related to this bug. Tor Browser is vulnerable to this attack in supported settings. Can you look into it please?
Note: Tor Browser is not vulnerable to this attack in any of the supported default settings (that is on any of the security settings levels).
Right. I was wrong here and I changed the description accordingly. One can see this on the medium-security level as well with media content being click-to-play.
Trac:
Description: If one customizes NoScript in a way that objects are blocked and JavaScript is enabled then the browser locale is leaked even if the user opted in in hiding it. This issue got reported to our HackerOne bug bounty program by ryotak, thanks!A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.
Note: Tor Browser is not vulnerable to this attack in any of the supported default settings (that is on any of the security settings levels).
to
If one customizes NoScript in a way that objects are blocked and JavaScript is enabled then the browser locale is leaked even if the user opted in in hiding it. This issue got reported to our HackerOne bug bounty program by ryotak, thanks!
A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.
-
Replying to gk:
of course, not meant as an argument against a work-around ;)
Here you are: https://github.com/hackademix/noscript/releases/tag/11.0.3rc1