TTP-02-003 WP1: Data URI allows JS execution despite safest security level (Low)

Description

The Tor Browser incorporates a feature that makes it possible for users to adjust the security level of the browser. This feature is designed to mitigate web-based attacks targeting the users' security and anonymity, doing so by disabling certain web features.

It has been discovered that the proper security level protections are not applied when there is a top-level navigation to a data URI for the first time while being in the safest state. However, when the same data URI is reloaded, the correct protections are applied. This issue could potentially be used by attackers to trick users into executing JavaScript despite the safest security level set. Given it is not possible to automatically open or redirect the top-level page to a data URI, user-interaction is required to exploit this vulnerability. As a result, the severity of the issue has been downgraded to Low.

PoC:

<html>
<body><br><br><center>
<h2>
    <a href="data: text/html,<script>alert(`Javascript
    execution :)`);</script>">Click on "Copy Link" and then
    "Paste and Go" in the address bar!</a>
</h2>
</center></body>
</html>

Steps to reproduce:

1. Open the Tor Browser and connect to it.
2. Set the security level to safest.
3. Save the PoC above as an HTML file and open it on the Tor Browser.
4. Right-click on the link and select Copy Link.
5. Right-click on the address bar and click on Paste and Go.
6. Observe an alert being displayed, which demonstrates that JavaScript was executed, even though the browser has the safest security level set.

To mitigate this issue, Cure53 advises setting the protections related to the security levels on data URIs as well.