Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Trac Trac
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 246
    • Issues 246
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Metrics
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • Legacy
  • TracTrac
  • Issues
  • #31287
Closed (moved) (moved)
Open
Created Jul 30, 2019 by Georg Koppen@gk

NoScript leaks browser locale if objects are blocked and JavaScript is allowed

If one customizes NoScript in a way that objects are blocked and JavaScript is enabled then the browser locale is leaked even if the user opted in in hiding it. This issue got reported to our HackerOne bug bounty program by ryotak, thanks!

A copy of the developed PoC can be found at: https://people.torproject.org/~gk/tests/poc_noscript_locale_leak.html.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking