On March 23, 2020, the Tor Project released an update to Tor Browser version 9.0.7 that fixes security issues in the Tor router and significantly changes the behavior of the browser when choosing the most secure (Safest) settings level.
The most secure level is to disable JavaScript by default for all sites. However, due to an issue in the NoScript add-on, this limitation can currently be bypassed. As a temporary workaround, the Tor Browser developers have made it impossible for JavaScript to work when the highest security level is selected.
This may break Tor Browser habits for all users who have enabled the highest security mode, as it is no longer possible to allow JavaScript through the NoScript settings.
If you need to return the previous behavior of the browser at least temporarily, then you can do it manually, as follows:
- Open a new tab.
- Type about:config in the address bar and press Enter.
- In the search bar under the address bar enter: javascript.enabled
- Double click on the remaining line, the Value field should change from false to true
The built-in Tor network router has been updated to version 0.4.2.7. The following shortcomings have been fixed in the new version:
- Fixed a bug (CVE-2020-10592) that allowed anyone to perform a DoS attack on a relay or root directory server, causing CPU overload, or an attack from the directory servers themselves (not just root ones), causing ordinary network users to overload the CPU.
Targeted CPU overload could obviously be used to orchestrate timing attacks to help deanonymize users or hidden services. - Fixed CVE-2020-10593 that allowed a memory leak to be triggered remotely, which could result in a stale chain being reused
- Other errors and shortcomings
Source: linux.org.ru