The security company, Zerodium, announced the vulnerability after a new version of the Tor Browser had been released. Tor Browser 8.x is unaffected by the vulnerability, according to their announcement.
Here’s the tweet:
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
In a statement to ZDnet, Zerodium said, “the exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component.” The company also revealed that they had shared the information with their “government customers.” The company, of course, sells this information almost exclusively to government agencies.
And the infamous x0rz released a Python script demonstrating how simply the Tor Browser’s NoScript could be bypassed. Available