Zerodium, which buys and sells popular software vulnerabilities, has posted a 0day vulnerability in Tor Browser via Twitter.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript 'Safest' security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to "text/html;/json" and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) September 10, 2018
This vulnerability bypasses Tor/NoScript’s highest level of security and allows malicious code to run on the browser. The vulnerability affects Tor Browser 7.x but does not affect the just-released Tor Browser 8.0. NoScript author Giorgio Maone said the vulnerability was caused by a workaround used by NoScript to shield the built-in JSON viewer. He did not know the existence of the vulnerability before, indicating that the update fix will be released.
Zerodium CEO Chaouki Bekrar said that they got the vulnerability a few months ago and shared the vulnerability information with government customers. They decided to disclose the vulnerability because the latest release of Tor Browser 8.0 is unaffected and its lifetime has ended. The vulnerability itself does not expose data and needs to be combined with other exploit methods.