Filippo Cavallarin (Italian security researcher) discovered the flaw in Mozilla FireFox and that means Tor Browser (which is based on the Firefox browser) also affected. The vulnerability called TorMoil, it affects Tor browser for macOS and Linux and not for Windows.
The Tor team have released version 7.0.9 to patch the vulnerability. Tor Browser 7.0.9 is only available for Mac and Linux users.
The researcher said that the security flaw is a Firefox bug in the way the browser manages file:// URLs. Once an affected user surf a specially crafted web page, the operating system may directly connect to the remote host, bypassing Tor Browser.
According to the Tor Project:
“The bug got reported to us on Thursday, October 26, by Filippo Cavallarin. We created a workaround with the help of Mozilla engineers on the next day which, alas, fixed the leak only partially. We developed an additional fix on Tuesday, October 31, plugging all known holes. We are not aware of this vulnerability being exploited in the wild. Thanks to everyone who helped during this process!”
Users are strongly recommended to update their TorBrowser to patch TorMoil vulnerability.
The Tor Project published in July the launch of a public bug bounty program to encourage bug hunters to privately report bugs they find in the software.