Tor Browser Version 9.0.7 Patched Bug That Could Deanonymize Users Using JavaScript


The Tor Project released Tor Browser 9.0.7 with critical bug fix.

Previously, Tor had a bug that allowed JavaScript to run on websites it shouldn't. The bug was found in the browser TBB's security options, meaning that the bug is a serious one.

In the past, there have been exploits that used JavaScript code to reveal a Tor Browser user's real IP address, most notably when the authorities try to target and unmask criminal activities.

Tor Project warned users about this major bug, saying at the time that users have to completely disable JavaScript execution in the Tor Browser, in order for the browser to completely stop running scripts on websites it shouldn't.

However, users have noted that the NoScript 11.0.17 update that automatically applied to all users didn't fully mitigate the issue.

This, again, could have led to some users' information being accidentally leaked and potentially deanonymizing them.

This particular bug is patched using Tor Browser 9.0.7.

With the version, the team at the Tor Project finally introduces a permanent fix for the issue.

According to the Tor Project on the announcement:

"This release updates Tor to and NoScript to 11.0.19."

"In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript."

The Tor Browser is designed by privacy-preserving features that also masks real IP addresses to keep users anonymous online.

This is why the browser is often used by journalists, political activities, dissidents in oppressive countries, and others that also include cyber criminals, as a way to evade firewalls, online censorship and in order to talk without having to be afraid of regulations.

Since Tor users have been relying on the browser's security features to anonymously browse the Internet, having their identity exposed by a JavaScript could mean catastrophe.

With their IP unveiled, hackers can use the information for fingerprinting or to unveil their true location.

Starting version 9.0.7, Tor Browser can make sure that all JavaScript code is again disabled automatically on non-HTTPS sites while browsing the web on the browser's Safest security level.

The version also bumps HTTPS Everywhere extension to version 2020.3.16.

To make use of the patch, users should restore the previous behavior urged by Tor

"This may change your workflow if you previously allowed JavaScript on some sites using NoScript," the team said, adding that "we're taking this precaution until we're confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability."