Potential anonymity leak in Tor Browser Bundle via Key Map
For users of alternative key maps such as AZERTY, Dvorak, etc., the user's keymap can reveal personally identifiable information about an end-user. Using JavaScript, it is fairly trivial to identify a user's key map by comparing key codes and character codes against some fairly simple patterns to accurately determine the user's key map.
If packet insertion is accomplished between the Tor exit node and the destination site, malicious JavaScript can be injected which, when the user types, could determine their keymap. HTTPS on the destination site can help to prevent packet injection, but if the destination site itself is malicious or compromised, it would still remain possible to determine the user's keymap and store data about this interaction which could potentially identify a user in the end.
A fix for this would involve patching Tor Browser Bundle's Firefox to never send key codes or alternatively never send char codes to executing JavaScript. It's also possible to mitigate this by disabling JavaScript, but many sites depend on JavaScript for basic interaction with the site.