Tor Browser 15.0.1 Patches Security Holes in Privacy Stack

Tor Browser 15.0.1 shipped on November 11, 2025, carrying security patches from Firefox 145 backported into the Firefox 140.5.0 ESR foundation. The Tor Project released this maintenance update fourteen days after Tor Browser 15.0 introduced vertical tabs, tab groups, and Android screen lock capabilities. Version 15.0.1 fixes specific bugs while strengthening defenses through Mozilla's latest security work.

Firefox 140.5.0 ESR corrected 9 security vulnerabilities, 2 rated High severity when Mozilla released it the same day as Tor Browser 15.0.1. Tor Browser inherits these patches through its Extended Support Release foundation, which prioritizes stability over bleeding-edge features. The security fixes originated in Firefox 145's rapid-release channel before Mozilla engineers backported them to ESR branches that organizations and privacy-focused browsers depend on.

The backporting practice matters because Tor Browser users face sophisticated threats targeting known browser vulnerabilities. State actors and commercial surveillance operations scan for outdated software running exploitable code. Extended Support Release versions lag behind rapid-release Firefox by design they receive feature updates once yearly while rapid-release Firefox ships new features every four weeks. Security patches flow backward from rapid-release to ESR, creating a window where rapid-release users get fixes first. Tor Browser's announcement confirms Firefox 145 security work reached ESR users through this 15.0.1 update.

Tor Browser 15.0.1 updated NoScript to version 13.4, released November 1, 2025. NoScript blocks JavaScript execution by default, requiring users to whitelist specific domains before scripts run. The extension prevents cross-site scripting attacks, clickjacking attempts, and JavaScript-based fingerprinting techniques that track users across websites. Tor Browser 15.0 shifted WebAssembly control from global preferences into NoScript's management, making the extension responsible for both JavaScript and WebAssembly blocking on Safer and Safest security levels.

The release added DuckDuckGo's "No AI" version as a search engine option. Traditional DuckDuckGo search results now include AI-generated answers alongside organic results, similar to Google's AI Overview feature and Bing's Copilot integration. The "No AI" variant excludes machine-generated summaries, providing only indexed web results. Users selecting this option avoid AI hallucinations fabricated information presented as fact that large language models frequently generate when answering queries about topics requiring precision.

Tor Browser's search engine list now sorts alphabetically, fixing inconsistent ordering that made finding specific engines harder. The browser previously organized search providers without clear logic, forcing users to scan the entire list. Alphabetical sorting reduces friction when switching between DuckDuckGo variants, Startpage, and other privacy-respecting options built into Tor Browser.

Version 15.0.1 resolved a default zoom reset issue where zoom levels perpetually reverted to 100% regardless of user preferences. Users with vision impairments or high-DPI displays who configured larger default zoom settings found their preferences ignored after restarting the browser. The bug affected all desktop platforms Windows, macOS, and Linux forcing repeated manual adjustments. Fixed zoom persistence maintains accessibility without requiring users to reconfigure settings every session.

Linux users received restored Noto CJK fonts after Tor Browser 15.0 switched to Jigmo fonts with insufficient readability. CJK refers to Chinese, Japanese, and Korean character sets requiring thousands of glyphs. Jigmo's limited glyph coverage produced rendering failures where characters displayed as boxes or question marks. Noto CJK fonts provide comprehensive coverage across all three writing systems. The self-upgrade window on Linux also received corrected font and text rendering that fixed layout problems introduced in 15.0.

The about:tor upgrade notification page now displays properly instead of remaining blank when updates become available. Tor Browser checks for new versions on startup and presents release information through about:tor. The broken notification system left users unaware of available updates, potentially running older versions with known vulnerabilities. Fixed upgrade messaging ensures users see release announcements and security advisories.

Android users running Tor Browser 15.0.1 receive GeckoView 140.5.0esr, Mozilla's Android-specific rendering engine. GeckoView handles webpage rendering, JavaScript execution, and extension support on mobile platforms. The update fixes extension update job failures that prevented NoScript and other add-ons from fetching new versions automatically. Manual extension updates required navigating add-on settings and checking for updates individually fixed automatic updates restore seamless security maintenance.

Tor Browser 15.0, released October 28, 2025, introduced vertical tabs that stack open and pinned tabs in a sidebar instead of spanning the top of the window. Tab groups enable color-coded organization with custom names for related tabs. The address bar gained a unified search button for switching between DuckDuckGo, Startpage, and other privacy-focused engines mid-query. Android received screen lock functionality requiring fingerprint, face recognition, or passcode authentication when switching away from the browser.

Tor Browser 15.0 marked the final major release supporting x86 architecture on Linux and Android, alongside Android 5.0, 6.0, and 7.0. Version 16.0, expected mid-2026, requires Android 8.0 minimum. The x86 sunset follows Mozilla's February 2025 decision to end 32-bit Firefox support after Firefox 140 ESR reaches end-of-life in September 2026. Users on older hardware must maintain Tor Browser 15.x indefinitely or upgrade devices to continue receiving security updates.

Tor Browser's ESR foundation guarantees security support through September 2026 for version 140.x. Mozilla maintains two ESR branches simultaneously currently Firefox ESR 140 and Firefox ESR 115 providing organizations extended timelines for testing and deployment. When Firefox ESR 153 begins in mid-2026, Firefox ESR 115 reaches end-of-life. Tor Browser typically upgrades ESR foundations annually during major version releases.

The Tor Project's annual security audit reviewed approximately 200 Firefox modifications before releasing Tor Browser 15.0. These modifications harden Firefox against fingerprinting attacks, disable telemetry collection, integrate Tor circuit management, and enforce isolation between different website identities. Annual audits verify that Firefox upstream changes during the previous year haven't compromised Tor Browser's privacy architecture. Independent security researchers examine modifications for logic errors, memory safety issues, and cryptographic implementation flaws.

Tor Browser 15.0.1 maintains compatibility with the Tor network's current consensus and guard node selection algorithms. Guard nodes provide the first hop in Tor circuits, requiring stability and long-term operation. Tor Browser selects guard nodes from a subset of highly reliable relays, using them for months before rotation. The browser builds three-hop circuits through guard nodes, middle relays, and exit nodes for every connection. Each circuit creates a different path through the network, preventing any single relay operator from correlating user activity.

Download Tor Browser 15.0.1 from the Tor Project's website or through the browser's built-in updater. The distribution directory provides checksums for integrity verification alongside GPG signatures proving authenticity. Users running Tor Browser 14.x receive automatic update prompts. Manual installation requires downloading the appropriate package for Windows, macOS, Linux, or Android, then verifying signatures before execution.