There is a Tor Browser 7.x Zero Day that can allow malicious code to run inside the browser, a researcher said.
Tor Browser is a modified version of Mozilla’s Firefox ESR which bundles the NoScript and HTTPS Everywhere extensions, together with an installation of the TOR network accessible via the TorButton, TorLauncher, and Tor proxy.
The browser allows its users to boost their privacy and avoid man-in-the-middle (MitM) attacks while browsing the web, and is a recommended solution by most anti-surveillance advocates.
While the attack works on older versions of the browser, it will not work on the just released version, researchers said. That is because the new Tor Browser release moved to the Firefox Quantum which also comes with different, new add-on APIs. Tor Browser version 8.0 launched last week.
The newest NoScript versions are also developed to work on the Quantum platform and use the newer add-on APIs.
Zerodium’s chief executive Chaouki Bekra said back in December the organization launched a specific and time-limited bug bounty for Tor Browser. This Tor Browser exploit ended up acquired by Zerodium months ago as a Zero Day and Bekra shared it with government customers.
Bekra said this Zero Day released publicly to spread awareness on the lack of proper auditing for components of highly trusted security solution like the Tor Browser, with millions of users to date.
To mitigate the issues, users should update Tor Browser and NoScript to their latest versions, which are not vulnerable.