Tor Browser Bug Allows JavaScript to Run Where It Should Be Blocked

Developers have issued a warning about a bug in Tor Browser that allows JavaScript code to execute on websites even when the user has intentionally blocked it. Although work is underway to create a fix, there is currently no patch available, and no release date has been announced.

The Importance of JavaScript Blocking in Tor Browser

The ability to block JavaScript execution is a key security feature of Tor Browser. Because the browser is focused on protecting user privacy—masking real IP addresses and striving to maintain user anonymity—it is often used by journalists, political activists, and dissidents in countries with repressive regimes to bypass censorship and restrictions.

It’s worth noting that in the past, there have been exploits targeting Tor Browser that used JavaScript to reveal a user’s real IP address. Some of these exploits were used to unmask criminals, while others were deployed under unknown circumstances.

Details of the Security Flaw

The development team has now reported a bug in the Tor Browser Bundle’s security settings. Even if the browser is set to the highest security level (“Safest”), it still allows JavaScript code to run in certain situations where it should be blocked.

What Users Can Do

Developers state that they are actively working to resolve this issue. In the meantime, users who want to completely disable JavaScript can do so by changing the following setting:

• Go to about:config
• Set javascript.enabled to false