A few days ago, in my German article Tor Browser 8.0 erschienen, I introduced the new version of the Tor browser. If you’re still using older versions of Tor 7.x, you should switch as soon as possible..
Zerodium, a vendor that buys and sells exploits for software, has announced on Twitter that Tor 7.x is insecure. A bug allows a user’s choice of security level to be bypassed.
Advisory: Tor Browser 7.x has a serious vuln/bugdoor leading to full bypass of Tor / NoScript ‘Safest’ security level (supposed to block all JS).
PoC: Set the Content-Type of your html/js page to “text/html;/json” and enjoy full JS pwnage. Newly released Tor 8.x is Not affected.
— Zerodium (@Zerodium) 10. September 2018