Opened 7 months ago

#33814 new defect

Concerns about recent bug that allowed JavaScript to run in Tor Browser, even in the "safest" security setting

Reported by: Tor235 Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version: Tor: unspecified
Severity: Critical Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


I have concerns regarding the recent bug that allowed JavaScript to run in Tor Browser even in the "safest" security setting (i.e. JavaScript wasn't disabled).

Throughout the past few months, I have been using Tor Browser (set to the "safest" security level), and I'm worried that my real IP address may have leaked due to this JavaScript bug. The Tor website says, "We are aware of a bug that allows javascript execution on the Safest security level (in some situations)." What situations is the Tor team referring to? I always have the Tor Browser's security level set to the "safest" setting, without exception -- does that mean that JavaScript was blocked at all times, even when the bug was present?

The reason I'm wondering what situations / circumstances would've enabled JavaScript (in the "safest" security setting) (when the bug was present) is because I want to know if I ended up in any of those situations, and also how to avoid those situations in the future (should another bug occur).

As was said in a different ticket, at around the same that Tor Browser 9.0.6 was released, I got an error message in the NoScript icon in Tor Browser -- the error message said, "In order to operate on this tab, NoScript needs to reload it. Proceed?" Now that I know there was a bug present around this time (mid-March 2020), I'm wondering if that error message was related to the JavaScript bug -- I'm also wondering if that error message would've allowed JavaScript to run (even in the "safest" security setting) and potentially leak my real IP address.

Child Tickets

Change History (0)

Note: See TracTickets for help on using tickets.