Login Sign Up

CVE-2018-16983

9.8 CRITICAL
Cross-Site Scripting

📋 TL;DR

This vulnerability allows attackers to bypass NoScript Classic's script blocking feature by using a malformed Content-Type header value of 'text/html;/json'. This affects users of NoScript Classic before version 5.1.8.7, including those using Tor Browser 7.x and other products that incorporate this extension.

💻 Affected Systems

Products:
  • NoScript Classic
  • Tor Browser
Versions: NoScript Classic versions before 5.1.8.7, Tor Browser 7.x versions incorporating vulnerable NoScript
Operating Systems: All platforms where NoScript Classic or Tor Browser run
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who have NoScript Classic installed and are using its script blocking features. Other NoScript versions (not 'Classic') may not be affected.

📦 What is this software?

Noscript by Noscript

View all CVEs affecting Noscript →

Tor Browser by Torproject

View all CVEs affecting Tor Browser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript on protected websites, potentially leading to session hijacking, credential theft, or malware delivery to users who rely on NoScript for security.

🟠

Likely Case

Targeted attacks against Tor Browser users to bypass anonymity protections and execute malicious scripts that would normally be blocked.

🟢

If Mitigated

If NoScript is not installed or if users have disabled script blocking for all sites, the impact is minimal as there's no protection to bypass.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit was publicly disclosed on Twitter by Zerodium, making weaponization confirmed. Attack requires user to visit a malicious website.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.8.7

Vendor Advisory: https://noscript.net/getit#classic

Restart Required: Yes

Instructions:

1. Open NoScript Classic extension settings. 2. Check for updates. 3. Update to version 5.1.8.7 or later. 4. Restart browser.

🔧 Temporary Workarounds

Disable NoScript Classic

all

Temporarily disable the NoScript Classic extension until patched

Browser-specific: Navigate to extensions/add-ons manager and disable NoScript Classic

Switch to NoScript Quantum

all

Migrate to NoScript Quantum version which is not affected

Uninstall NoScript Classic, install NoScript Quantum from official add-on store

🧯 If You Can't Patch

  • Disable JavaScript globally in browser settings (breaks many websites)
  • Use alternative script-blocking extensions that are not vulnerable

🔍 How to Verify

Check if Vulnerable:

Check NoScript Classic version in browser extensions/add-ons manager. If version is below 5.1.8.7, you are vulnerable.

Check Version:

Browser-specific: Navigate to about:addons (Firefox) or chrome://extensions (Chrome-based) and check NoScript version

Verify Fix Applied:

Verify NoScript Classic version is 5.1.8.7 or higher in extensions manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script execution on websites where NoScript should be blocking
  • HTTP responses with 'text/html;/json' Content-Type headers

Network Indicators:

  • HTTP traffic containing 'Content-Type: text/html;/json' headers
  • Requests to known malicious domains that may be exploiting this vulnerability

SIEM Query:

http.content_type="text/html;/json" OR http.user_agent contains "Tor Browser" AND event.action="script_execution"

📊 Metadata

CVE ID: CVE-2018-16983
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: September 13, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON