https://twitter.com/Zerodium/status/1039127214602641409
- Zerodium
While they haven’t given any detailed proof-of-concept for this vulnerability, they have explained it briefly in their tweet.
‘NoScript’ is a typical browser extension that enables a user to block JavaScript, Java, and Flash on untrusted websites. The user can, however, select specifications for certain websites to allow running JS. Designed for all Mozilla-based browsers including Firefox and SeaMonkey, the plugin comes by default with TOR browser. This tool enhances the browser’s security feature by blocking all JS except on the whitelist.The bug reported by Zerodium affects this particular TOR feature, allowing anyone to run malicious codes in the browser by simply bypassing the NoScript.
Reportedly, within 50 minutes from the disclosure, Giorgio Maone fixed the flaw in the NoScript "Classic" version 5.1.8.7 which is now available.
https://twitter.com/ma1/status/1039156018608041984
- ma1
The users of Firefox, TOR, and other browsers can simply download this patched NoScript version to mitigate the vulnerability. Likewise, TOR users running browser versions 7.x need to upgrade their browsers to the version 8.x. However, those already running TOR 8.x on their devices remain safe.
Let us know your thoughts in the comments section.