Tor Browser 9.0.7 is now available from the Tor Browser download page and also from our distribution directory.

This release features important security updates to Tor.

This release updates Tor to 0.4.2.7 and NoScript to 11.0.19.

In addition, this release disables Javascript for the entire browser when the Safest security level is selected. This may be a breaking change for your workflow if you previously allowed Javascript on some sites using NoScript. While you are on "Safest" you may restore the previous behavior and allow Javascript by:

Open about:config

Search for: javascript.enabled

The "Value" column should show "false"

Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

In addition, HTTPS-Everywhere version 2020.3.16 supports a new mode of operation named EASE (Encrypt All Sites Eligible). Tor Browser users should not enable this feature. This new mode allows for adding per-site exceptions (whitelisting), however adding per-site exceptions may increase a user's uniqueness while using Tor Browser. When EASE mode is enabled, the whitelisting feature does not always work correctly, as well. We decided against downgrading the included https-everywhere version.

The full changelog since Tor Browser 9.0.6 is:

All Platforms Bump NoScript to 11.0.19 Bump Https-Everywhere to 2020.3.16 Bug 33613: Disable Javascript on Safest security level

Windows + OS X + Linux Bump Tor to 0.4.2.7



Update 2020-03-25: Added Https-Everywhere upgrade in ChangeLog and message about EASE mode.