in a way that it injects some sort of JavaScript exploit in the Web pages delivered to users," Lewman wrote. "This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based.
Why you are NOT supposed to be running JS, or any programs on hidden services that you cannot look at the code. Are these people that stupid?
This has nothing to do with tor, but user stupidity.