[yeloboy]

Strip the javascript engine out of the Tor browser, it has no reason to be there. It beats the purpose of using Tor if you're gonna allow Javascript to run.

It'd be much easier to just strip it all out, despite breaking site support in the process. Especially since Tor is usually used to access hidden services instead of the clearnet.

[pcwalton]

All that has to happen to fix this vulnerability is to remove support for legacy addons—which is what Firefox Quantum already did.

The old addon system made it far too easy to make catastrophic mistakes like this. Web Extensions, which are an API that was actually designed with security in mind, constitute a huge security improvement.

[evilpie]

Firefox doesn't work without a JavaScript engine.

[flatiron]

what about just toggling javascript.enabled ?

[tmpaccount823]

I can confirm that setting javascript.enabled to false would have prevented that bug in older versions.

I've always thought that the highest security setting would set it to false on its own, but apparently it does not.

[crtasm]

> Especially since Tor is usually used to access hidden services instead of the clearnet.

My assumption is the opposite but I have no data to cite here, is it even possible to tell?

[throwaway2048]

A tor browser that isn't usable means people don't use it.