Die Standardkonfiguration des NoScript-Plugins im TorBrowser lässt die Ausführung von JavaScript zu. Warum dieses Sicherheitsrisiko eingegangen wird, ist in den FAQ zum TorBrowser erklärt:
On the one hand, we should leave JavaScript enabled by default so websites work the way users expect. On the other hand, we should disable JavaScript by default to better protect against browser vulnerabilities […] But there’s a third issue: websites can easily determine whether you have allowed JavaScript for them, and if you disable JavaScript by default but then allow a few websites to run scripts (the way most people use NoScript), then your choice of whitelisted websites acts as a sort of cookie that makes you recognizable (and distinguishable), thus harming your anonymity.