Exploit vendor drops Tor Browser zero-day on Twitter

Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. In a tweet, Zerodium said the vulnerability is a full bypass of the ‘Safest’ security level of the NoScript extension that’s included by default with all Tor Browser distributions. NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content.

It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users. Zerodium’s Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript’s script-blocking ability. According to Zerodium, the zero-day affects only the Tor Browser 7.x series.

The Tor Browser 8.x branch, released last week, is not affected. The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API. The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series.

Source: zdnet.com