Tails is warning users to stop using Tor Browser that comes bundled with the privacy-focused operating system (OS), after the discovery of a prototype pollution vulnerability.
Tor Browser is a modification of the open source Firefox web browser, which is where the critical vulnerability, tracked as CVE-2022-1802, was found.
The bug could enable an attacker to corrupt the methods of an Array object in JavaScript via prototype pollution, potentially achieving the execution of attacker-controlled JavaScript code in a privileged context.
A second bug, tracked as CVE-2022-1529, could allow an attacker to send a message to the parent process where the contents could be used to double-index into a JavaScript object, leading to prototype pollution and ultimately allowing attacker-controlled JavaScript executing in the privileged parent process.
Knock-on impact
The developers of Tails, a security-focused Debian-based Linux distribution used for security and anonymity, warned users not to fire up Tor Browser while handling any sensitive information as the vulnerability may break any protections it provides.
This is at least until version 5.1 of Tails, expected on May 31, is released.
A security advisory from Tails reads: “This vulnerability allows a malicious website to bypass some of the security built in Tor Browser and access information from other websites.
“For example, after you visit a malicious website, an attacker controlling this website might access the password or other sensitive information that you send to other websites afterwards during the same Tails session.”
The vulnerability does not break the anonymity and encryption of Tor connections, meaning that it is still safe and anonymous to access websites from Tails if you don’t share sensitive information with them.
Other applications in Tails are not vulnerable because JavaScript is disabled. The Safest security level of Tor Browser is also not affected because JavaScript is disabled at this security level.
Fixes incoming
Tails version 5.0 comes bundled with Tor Browser 11.0.11, which contains the prototype pollution bug.
As users await Tails 5.1, which will inherit the Tor Browser 11.0.13 security update, they could use the standalone, and fully updated, version of the browser on Mac, Windows, or Linux.
“This vulnerability will be fixed in Tails 5.1 (May 31), but our team doesn’t have the capacity to publish an emergency release earlier,” the Tails team said.
A Mozilla security advisory contains more information about the security issues, which were reported by researcher Manfred Paul.
It also contains details on fixes for Firefox, Firefox ESR, Firefox for Android, Thunderbird to protect against the vulnerabilities.
