Wed. Nov 13th, 2019

Zerodium exposes the 0day vulnerability on Tor Browser 7x

1 min read

Zerodium, which buys and sells popular software vulnerabilities, has posted a 0day vulnerability in Tor Browser via Twitter.

This vulnerability bypasses Tor/NoScript’s highest level of security and allows malicious code to run on the browser. The vulnerability affects Tor Browser 7.x but does not affect the just-released Tor Browser 8.0. NoScript author Giorgio Maone said the vulnerability was caused by a workaround used by NoScript to shield the built-in JSON viewer. He did not know the existence of the vulnerability before, indicating that the update fix will be released.

Zerodium CEO Chaouki Bekrar said that they got the vulnerability a few months ago and shared the vulnerability information with government customers. They decided to disclose the vulnerability because the latest release of Tor Browser 8.0 is unaffected and its lifetime has ended. The vulnerability itself does not expose data and needs to be combined with other exploit methods.