According to Zerodium it is possible to abuse the leak by changing the content-type-header on a page to: text / html; / json . As a result, it appears that an attacker lures a victim to a malicious page under his control. Security researcher x0rz has tested this proof-of-concept and says that it is easy to apply. He publishes a video on Twitter to support his claim. The corresponding code is on GitHub . He advises users to update to the recently released Tor Browser 8. It would not be vulnerable. NoScript Classic has now implemented a patch, to version number 126.96.36.199 .