The Tor Browser is a free and open-source software for enabling anonymous communication, by bouncing users internet traffic through thousands of relays.
This way, the browser can conceal its users' location and usage from anyone who are conducting network surveillance and traffic analysis. The Tor Browser is also the popular method to browse the deep web. But here, its researchers found an issue in the browser.
The Tor Project warned users about a major bug in the browser that may execute JavaScript code on websites' web pages that users have specifically blocked JavaScript from running.
The team said on a blog post, when announcing the release of Tor version 9.0.6:
"We are working on a fix for this. If you require that JavaScript is blocked, then you may completely disable it."
JavaScript can run on the client side, meaning that it runs inside the browser rather than the server. Specialized JavaScript on a website can be designed to reveal many information about visitors.
This is why people who want to browse the web in a more private manner are often advised to turn off JavaScript on their browser.
In the Tor Browser, the ability to block JavaScript code execution is a crucial security in the Tor Browser Bundle (TBB).
And because the bug was actually found in TBB's security options, the bug is a serious one.
In the past, there have been exploits that used JavaScript code to reveal a Tor Browser user's real IP address, most notably when the authorities try to target and unmask criminal activities.
The Tor Browser is designed by privacy-preserving features that also masks real IP addresses to keep users anonymous online.
This is why the browser is often used by journalists, political activities, dissidents in oppressive countries, and others that also include cyber criminals, as a way to evade firewalls, online censorship and in order to talk without having to be afraid of regulations.
Disabling and blocking Javascript is one of Tor’s key features for preserving users' anonymity. But the bug undermines its safety, making the browser potentially dangerous for users who rely on its anonymity since companies, government entities, and even hackers can use Javascript to find visitors of a site's IP addresses.
To completely disable JavaScript execution in the Tor Browser, the Tor team provided the following instructions:
- Open about:config.
- Search for: javascript.enabled.
- If the "Value" column says "false", then JavaScript is already disabled.
- If the "Value" column says "true", then either right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.
The researchers also noted that Tor Browser's Noscript 11.0.17 can help solve this issue.