Bug #15140: noscript bypass / new identity bug

Bug #15140

noscript bypass / new identity bug

Added by Anonymous 2018-01-01 18:05:37 . Updated 2018-03-14 11:08:55 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Target version:

Tails_3.6

Start date:

2018-01-01

Due date:

% Done:

100%

Feature Branch:

Type of work:

Wait

Blueprint:

Starter:

Affected tool:

Browser

Deliverable for:

Description

If you temporarily allow a Website to use JavaScript and use the New Identity button and go back to the exact same website afterwards no script will forget that it granted temporary access to it pre-new identity yet allow scripts to be executed nonetheless

this is only reversed after closing Tor Browser for real and might be used maliciously.

easiest fix: set javascript.enabled to false on high security mode

Files

example.mp4 (1800689 B)

Anonymous, 2018-01-02 23:44:05

Subtasks

History

#1 Updated by mercedes508 2018-01-02 18:32:44

Assignee set to intrigeri
Priority changed from High to Normal

I’m not sure to understand properly how to reproduce this. And I tried in both Tails and Tor Browser on Debian. So I’m asking for some help if that’s possible on triaging this one.

Thanks in advance.

#2 Updated by Anonymous 2018-01-02 23:44:05

File example.mp4 added

interesting find could reproduce in 3.2 will try 3.3 and tbb asap

#3 Updated by intrigeri 2018-01-03 08:32:08

Assignee changed from intrigeri to mercedes508

> I’m not sure to understand properly how to reproduce this.

The video attached since you commented should make it clear how to reproduce. If this can be reproduced in Tor Browser outside of Tails, either the OP or yourself should ensure there’s a ticket about this in the Tor bug tracker.

#4 Updated by mercedes508 2018-01-03 15:01:22

Type of work changed from Code to Wait

Reproduced on Tor Browser on Debian stable, so I created #24784 on Tor bug tracker (https://trac.torproject.org/projects/tor/ticket/24784).

Waiting for them to fix it then.

#5 Updated by mercedes508 2018-01-03 15:06:38

Status changed from New to Confirmed

#6 Updated by mercedes508 2018-01-04 16:49:12

In fact it’s #24421 from Tor Bug Tracker. So the bug I opened is a duplicate.
https://trac.torproject.org/projects/tor/ticket/24421

#7 Updated by mercedes508 2018-01-29 11:20:28

Target version set to Tails_3.6

mercedes508 wrote:
> In fact it’s #24421 from Tor Bug Tracker. So the bug I opened is a duplicate.
> https://trac.torproject.org/projects/tor/ticket/24421

This upstream ticket has been fixed just now, so hopefully fixed in next TBB version that should ship NoScript version 5.1.8.4. So Hopefully in Tails 3.6.

#8 Updated by intrigeri 2018-02-02 05:51:58

Assignee changed from mercedes508 to bertagaz
QA Check set to Ready for QA

Cool! bertagaz, please verify this when you’ll import the new Tor Browser.

#9 Updated by bertagaz 2018-03-12 21:41:06

Status changed from Confirmed to Fix committed
Assignee deleted (~~bertagaz~~)
% Done changed from 0 to 100
QA Check changed from Ready for QA to Pass

intrigeri wrote:
> Cool! bertagaz, please verify this when you’ll import the new Tor Browser.

Seems it was indeed fixed, I can not reproduce this bug with Tor Browser 7.5.1.

#10 Updated by bertagaz 2018-03-14 11:08:55

Status changed from Fix committed to Resolved