This release features important security updates to Firefox.
Moreover, we backport a defense against protocol handler enumeration developed by Mozilla engineers.
Unfortunately, in this release we are temporarily introducing a regression due to a potential proxy-bypass bug within some versions of Android. Tor Browser for Android will not download a website’s “favicon” in this release (the small image shown beside the title of the webpage in the list of tabs). From our investigation into this bug, we found Android versions before Android Oreo (Android version 7 and earlier, API level 25 and earlier) leak some information about which webpage the browser is loading. This was corrected in newer versions of Android, however this temporary regression is necessary because it is likely most users have an older version of Android, and there may be other bugs we haven’t discovered yet. One bug in the Android networking code is one bug too many. We are working on a new way of downloading these icons.
The full changelog since Tor Browser for Android 1.0a2 is:
- Update Firefox to 60.3.0esr
- Update Torbutton to 2.1.1
- Update HTTPS Everywhere to 2018.9.19
- Backport of fixes for bug 1448014, 1458905, 1441345, and 1448305
- Bug 1623: Block protocol handler enumeration (backport of fix for #680300)
- Bug 28125: Prevent proxy-bypass bug by Android networking library