The Italian developer named Giorgio Maone who made NoScript, fixed the flaw in violently two hours with the annouce of version 188.8.131.52. Maone noted that only the “Classic” branch of NoScript 5 is impacted. The developer described that the flaw occurs due to a “work-around for NoScript blocking the in-browser JSON viewer.” He also noticed that the flaw was innovated with the announce of NoScript 5.0.4. in May 2017. Tor Project representatives described the features that this is not a Tor Browser zero-day bug.
“This was a bug in NoScript and not a zero-day exploit of Tor Browser that could circumvent its privacy protections. For bypassing Tor, a real browser exploit would still be needed,” the Tor Project explained.
The CEO of Zerodium, Chaouki Bekrar, stated that the exploit fundamentally avoids the safety offered by NoScript, even if the Tor Browser is fixed to the “Safest” security level.
Bekrar stated his company got the flaw as a zero-day “many months ago” and shared it with its government users. He asserts Zerodium has gained – containing as part of a time-restricted $1 million flaw bounty program – what he narrates as “high-end Tor efforts.” The users of company have apparently utilized these exploits to “fight crime and child abuse, and make the world a better and safer place for all.”
Asked if he is involved that the flaw may be exploited for harmful aims now that it has been revealed by Zerodium, Bekrar pointed out the version 8 of Tor Browser is not influenced and that it is highly praised that customers upgrade to the updated release.