U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A bug in Tor Browser allows execution of JavaScript even in Safest security level

Tor Project maintainers warned users about a severe flaw in the Tor browser that may execute JavaScript code on sites it should not. The Tor Project announced a major bug in the Tor browser that may cause the execution of JavaScript code on sites for which users have specifically blocked JavaScript. The development team at […]

Tor Project Tails

Tor Project maintainers warned users about a severe flaw in the Tor browser that may execute JavaScript code on sites it should not.

The Tor Project announced a major bug in the Tor browser that may cause the execution of JavaScript code on sites for which users have specifically blocked JavaScript.

The development team at the Tor Project announced that it is already working on a fix, but at the time it is not clear when it will be rolled out.

The feature that prevents the execution of JavaScript code on specific sites is essential for the privacy-friendly Tor Browser that uses it to prevent online surveillance. Malicious JavaScrip codes could reveal the real IP addresses of Tor users if executed.

Such kind of scripts was also employed in investigations conducted by law enforcement, in 2013, the FBI admitted attack against the Freedom Hosting, probably the most popular Tor hidden service operator company at the time.

This week, the Tor Project released the Tor Browser version 9.0.6 that features important security updates to Firefox.

The maintainers of the Tor Project announced that they have discovered a bug in TBB’s security options. The bug causes the execution of JavaScript code even when the browser was set up to use the highest security level, the level “Safest”.

“We are aware of a bug that allows javascript execution on the Safest security level (in some situations).” reads the post published by the Tor team. “We are working on a fix for this. If you require that javascript is blocked, then you may completely disable it by:

  • Open about:config
  • Search for: javascript.enabled
  • If the “Value” column says “false”, then javascript is already disabled.
  • If the “Value” column says “true”, then either right-click and select “Toggle” such that it is now disabled or double-click on the row and it will be disabled.”

The Tor team confirmed that Noscript 11.0.17 should solve this issue and that the issue is automatically updated by default.

“Automatic updates of Noscript are enabled by default, so you should get this fix automatically.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Tor Browser)

[adrotate banner=”5″]

[adrotate banner=”13″]