@lxo @nemobis @fijxu It certainly wasn't theoretical previously; https://tails.net/news/javascript_sometimes_enabled_in_safest/index.en.html

https://blog.torproject.org/new-release-tor-browser-907/
>Open about:config
Search for: javascript.enabled
The "Value" column should show "false"
Either: right-click and select "Toggle" such that it is now disabled or double-click on the row and it will be disabled.

We are taking this precaution until we are confident recent NoScript versions successfully block Javascript execution, by default, by working around a Firefox ESR vulnerability.

Although with version 100 it seems they were confident enough that NoScript seems to block JavaScript execution; https://blog.torproject.org/new-release-tor-browser-100/


Against remote scripts, I am reasonably confident that NoScript is adequate, as they don't seem to ever be downloaded unless you manually do so, but I'm not sure about specifically crafted JavaScript in <script></script> tags - it wouldn't surprise me if more ways were found that allow malicious JavaScript execution in script tags with javascript.enabled=true.


Someone has mentioned that they found LibreJS executed unlicensed JavaScript encoded via a certain method, but didn't mention further details (it seems they were telling the truth).


To have proper security guarantees with this sort of thing, you would need firefox with the JavaScript engine completely disabled (too bad extensions and a bunch of other things rely on that and you can only really get such sort of thing in netsurf).