In a Tweet, Zerodium shared a zero-day vulnerability that resides inwards the NoScript browser plugin comes pre-installed amongst the Mozilla Firefox bundled inwards the Tor software.
NoScript is a costless browser extension that blocks malicious JavaScript, Java, Flash in addition to other potentially unsafe content on all spider web pages yesteryear default, though users tin mail away whitelist sites they trust.
According to Zerodium, NoScript "Classic" versions 5.0.4 to 5.1.8.6--with 'Safest' safety score enabled--included inwards Tor Browser 7.5.6 tin mail away last bypassed to function whatever JavaScript file yesteryear changing its content-type header to JSON format.
In other words, a website tin mail away exploit this vulnerability to execute malicious JavaScript on victims' Tor browsers to effectively pose their existent IP address.
It should last noted that the latest version of Tor browser, i.e., Tor 8.0, is non vulnerable to this flaw, equally the NoScript plugin designed for the newer version of Firefox ("Quantum") is based upon a dissimilar API format.
Therefore, Tor 7.x users are highly recommended to straight off update their browser to the latest Tor 8.0 release.
NoScript has likewise fixed the zero-day flaw amongst the unloose of NoScript "Classic" version 5.1.8.7.
