Description:

It is possible to hide the Tor Circuit button from the address bar for a given tab by listening to the onbeforeunload event and redirecting the page to about:blank when the event is triggered.

If a user attempts to reset their identity by clicking on the New Tor circuit for this site option, the navigation can be hijacked by the attacker's script. A blank page will be displayed as a consequence. If the user attempts to navigate back to the previous page using the Back button, the Tor Circuit button will not be displayed in the address bar.

Similarly to TTP-02-002, this issue was found not to pose any immediate security risk and is included as Info only.

PoC:

<script>
  let status;
  onbeforeunload = () => {
    status = true;
  }
  let timer = setInterval(() => {
    if (status) {
      status = false;
      clearInterval (timer) ;
      location = "about:blank";
    }
  }, 1);
</script>

Steps to reproduce:

1. Open the Tor Browser and connect to it.
2. Save the PoC above as an HTML file and open it in the browser.
3. Click on the Tor Circuit button and then on the New Tor circuit for this site option.
4. The page will be redirected to about:blank.
5. Click on the Back option and observe that the Tor Circuit button is hidden for this page.

To mitigate this issue, Cure53 advises applying the same mitigation as specified in the TTP-02-002 ticket. Given these issues seem to be related and they might share the same root cause, it is recommended to consider and address them together.