Tor Browser 5.5a1 is released
This release features important security updates to Firefox. In particular, while the recent PDF.js exploit did not affect 4.5 users, it does affect users of 5.0a3 and 5.0a4. Although the High security level of the Security Slider also prevented the exploit from working against even those users, all alpha users are still strongly encouraged to upgrade as soon as possible.
In addition to fixing these security issues, the remaining major issues with Firefox 38 from 5.0a4 were also fixed. This release also features improvements to fingerprinting defenses. In particular, we continue to refine our font fingerprinting defense that was added in 5.0a4. With this defense, Tor Browser now ships with a standard set of fonts, and prefers to use the provided fonts instead of native ones in most cases. Interested users are encouraged to help us refine this defense by commenting on the associated ticket in our bugtracker.
This release also will reset the permanent NoScript whitelist, due to an issue where previous NoScript updates had added certain domains to the whitelist during upgrade. The whitelist is reset to the default for all users as a result, and future updates to the whitelist by NoScript have been disabled.
Here is the complete changelog since 5.0a4:
- All Platforms
- Update Firefox to 38.2.0esr
- Update NoScript to 220.127.116.11
- Update Torbutton to 18.104.22.168
- Bug 16731: TBB 5.0 a3/a4 fails to download a file on right click
- Bug 16730: Reset NoScript whitelist on upgrade
- Bug 16722: Prevent "Tiles" feature from being enabled after upgrade
- Bug 16488: Remove "Sign in to Sync" from the browser menu (fixup)
- Bug 14429: Make sure the automatic resizing is enabled
- Translation updates
- Update Tor Launcher to 0.2.7.7
- Translation updates
- Bug 16730: Prevent NoScript from updating the default whitelist
- Bug 16715: Use ThreadsafeIsCallerChrome() instead of IsCallerChrome()
- Bug 16572: Verify cache isolation for XMLHttpRequests in Web Workers
- Bug 16311: Fix navigation timing in ESR 38
- Bug 15646: Prevent keyboard layout fingerprinting in KeyboardEvent (fixup)
- Bug 16672: Change font whitelists and configs for rendering issues (partial)