Security News > 2020 > March > Tor browser fixes bug that allows JavaScript to run when disabled
The Tor browser has fixed a bug that could have allowed JavaScript to execute on websites even when users think they've disabled it for maximum anonymity.
The Tor Project revealed the issue in the release notes for version 9.0.6, initially suggesting users manually disable JavaScript for the time being if the issue bothered them.
Whether the issue matters depends on how users have configured Tor to treat JavaScript.
Tor's 'standard' setting enabled JavaScript by default, which users can upgrade to either 'safer', which disables JavaScript on non-HTTPS sites, or 'safest', which disables JavaScript completely.
Leaving JavaScript enabled opens users to the hypothetical risk that their anonymity might be compromised, for example using a vulnerability in the underlying Firefox browser.