| blob | 46f92347e0014a55d3b9ecfe3923d7ce1396dca2 |
1 [[!meta date="Wed, 11 Nov 2020 21:15:09 +0000"]]
2 [[!meta title="JavaScript vulnerability in Tor Browser"]]
3 [[!pagetemplate template="news.tmpl"]]
5 [[!tag security/fixed]]
7 A [critical vulnerability](https://www.mozilla.org/en-US/security/advisories/mfsa2020-49/)
8 was discovered in the JavaScript engine of *Firefox* and *Tor Browser*.
10 Until Tails 4.13 (November 17), we recommend all users to set the
11 [[security level of *Tor
12 Browser*|doc/anonymous_internet/Tor_Browser#security-level]] to *Safer*
13 or *Safest*.
15 This vulnerability was discovered during the [Tianfu Cup 2020 International
16 Cybersecurity Contest](http://www.tianfucup.com/). The details of the vulnerability
17 were not disclosed.
19 We are not aware of any use of this vulnerability against actual users.
21 The *Safer* or *Safest* security level of *Tor Browser* are not affected
22 because the feature of JavaScript that is affected, the *[[!wikipedia
23 just-in-time compilation]]*, is disabled at these security levels.
25 Mozilla fixed this vulnerability in *Firefox* 78.4.1 and Tor fixed this
26 vulnerability in *Tor Browser* 10.0.4.
28 We decided not to release an emergency upgrade of Tails because:
30 - Tails 4.13 is already scheduled for November 17 and will fix this
31 vulnerability.
32 - Our main release manager left the team recently and we have very
33 limited staffpower right now.
34 - The details of the vulnerability were not disclosed, making it harder
35 to exploit, and we are not aware of any use of this vulnerability
36 against actual users.