Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network.
In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions.
Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability.
According to Zerodium, the zero-day affects only the Tor Browser 7.x series. The Tor Browser 8.x branch, released last week, is not affected.
The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API.
The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series.
In an interview with ZDNet, Giorgio Maone, the author of the NoScript extension, said the zero-day was caused by a workaround for NoScript blocking the Tor Browser's in-browser JSON viewer.
Maone was not aware of the vulnerability before ZDNet contacted him earlier today.
After successfully reproducing the issue, Maone promised an update to the NoScript add-on for later today, to mitigate the zero-day's effects.
"I'm gonna release the update within 24 hours or less, like I always did in the past," Maone told ZDNet.
The Tor Project replied to ZDNet's request for comment but was not prepared to issue an official statement before this article's publication.
In an email exchange with ZDNet, Zerodium CEO Chaouki Bekrar provided more details about today's zero-day.
"We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet.
"This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers.
"We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users.
"The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component.
ZDNet advises Tor Browser 7.x users to update to Tor Browser 8.x, or at least make sure to install the NoScript update that Maone promised for later today. The current NoScript version included with Tor Browser 7.5.6 is NoScript 22.214.171.124.
UPDATE: Minutes after this article's publication, Maone released NoScript "Classic" version 126.96.36.199, which fixes the zero-day's exploitation vector. The patch came exactly two hours after Zerodium released details on Twitter. Maone also told ZDNet that the bug was introduced in NoScript 5.0.4, released on May the 11th 2017.