tor browser

Tor Browser 15.0.3: NoScript Goes Independent

The Tor Project now hosts its own NoScript builds, versioned with ".1984" suffixes to mark independence from Mozilla's Add-ons infrastructure.

Sam

Sam

12 min read
Tor Browser 15.0.3: NoScript Goes Independent
Release Date
December 8, 2025
Tor Browser 15.0.3 released with Firefox ESR 140.6.0 and critical security patches.
Extension Update
NoScript Self-Hosted
NoScript now hosted on Tor infrastructure, versions ending in ".1984" signal independence from Mozilla.
Security Fixes
9 Vulnerabilities
Firefox ESR 140.6.0 patches 5 high and 4 moderate security vulnerabilities from MFSA 2025-94.
Anti-Censorship
Lyrebird v0.7.0
Updated pluggable transport implements obfs4, meek, Snowflake, and WebTunnel for censorship circumvention.
Fingerprinting
PDF.js Hardened
Enhanced fingerprinting protections prevent PDF viewer from leaking identifying browser characteristics.
Build System
Zucchini Disabled
Google's executable compression algorithm disabled for 15.0 series due to mingw compatibility issues.
Usability Fix
Captchas Restored
Subframe capability restrictions corrected to allow captchas after previous security hardening broke them.
Android
Adreno 510 Fixed
WebRender rendering issues on Qualcomm Adreno 510 GPU devices resolved for Android users.
Go Runtime
Go 1.24.11
Build system updated to Go 1.24.11 for Windows, Linux, and Android platforms.

Tor Browser 15.0.3 dropped December 8, 2025, and the most significant change has nothing to do with code. The Tor Project now hosts its own NoScript builds on its own infrastructure, ending dependence on Mozilla's Add-ons (AMO) ecosystem. Those builds carry version numbers ending in ".1984" a reference to Orwell and a signal that Tor's taking control of its own privacy tools.

The backstory explains the urgency. A mistake in Mozilla's signing infrastructure previously disabled NoScript and all other Firefox extensions signed by Mozilla in Tor Browser. Because NoScript enforces the higher security levels, this single point of failure compromised privacy for millions of users. The solution: host NoScript yourself, sign it yourself, update it yourself. Version 13.5.2.1984 equals AMO's 13.5.2 in functionality, but now the Tor Project controls the entire update pipeline without waiting for Mozilla.

Firefox ESR 140.6.0 forms the new base, available with security advisory MFSA 2025-94. The numbers: nine vulnerabilities patched, five rated high, four rated moderate. Tor Browser users inherit these fixes automatically, though the project backports additional Firefox 146 security patches for defense-in-depth.

The anti-censorship stack got attention with Lyrebird v0.7.0, upgrading from v0.6.2. Lyrebird implements the pluggable transports that help users bypass censorship obfs4, meek, Snowflake, and WebTunnel. The obfs4 protocol uses Elligator 2 mapping to obfuscate public keys during handshakes, making traffic look like random noise rather than encrypted data. NaCl secret boxes handle link-layer encryption with Poly1305/XSalsa20. For users in countries where governments block Tor, these protocols represent the difference between connecting and staying offline.

PDF.js fingerprinting protections received enhancements in this release. Browser fingerprinting achieves high accuracy in identifying users, and PDF viewers have become a vector for leaking browser characteristics. Tor Browser's letterboxing and other anti-fingerprinting measures make tracking difficult, but every unpatched fingerprinting surface undermines that work. Hardening PDF.js closes another potential leak.

The captcha fix addresses a usability regression. Previous security hardening broke subframe capabilities, which inadvertently prevented captchas from working. For users who need to prove they're human to access sites, this restriction created real problems. The correction restores captcha functionality while maintaining the intended security posture.

Desktop platforms Windows, macOS, and Linux all run on Firefox 140.6.0esr now. The build system disabled Zucchini, Google's executable patch algorithm that Chrome uses for updates. Zucchini delivers better compression than Mozilla's current mbsdiff for binary updates, but Tor's mingw cross-compilation environment breaks compatibility. The team will reconsider this for version 16.0. Until then, updates remain slightly larger but fully functional.

Android received GeckoView 140.6.0esr and a fix for WebRender issues on Qualcomm Adreno 510 devices. GPU-specific rendering bugs can make browsers unusable, and the Adreno 510 appears in enough budget Android phones that this fix matters.

The build infrastructure updated Go to version 1.24.11 for Windows, Linux, and Android. Go compiles the pluggable transports and other components, and keeping it current maintains compatibility with modern security practices.

The ".1984" version suffix on NoScript tells the real story of this release. When a privacy browser depends on a third party's infrastructure for critical security components, any failure in that infrastructure becomes a failure in your browser. Mozilla's signing mistake proved this. The Tor Project's response building, signing, and hosting NoScript independently removes that dependency. Giorgio Maone, NoScript's developer, pushed this release, coordinating with Tor to make the transition seamless.

For users running Tor Browser, updating delivers the security patches and the infrastructure improvements. For everyone watching browser privacy evolution, the move to self-hosted extensions demonstrates how privacy tools mature: by reducing dependencies on organizations with different priorities than yours.

Download locations remain the Tor Browser download page and the distribution directory.

Read more

Coins by Cryptorank