User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:220.127.116.11) Gecko/20080201 Firefox/18.104.22.168
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/20080201 Firefox/126.96.36.199
According to ECMA-262 pg 62, vars should be marked with the DontDelete attribute, preventing them from being deleted. However, for some reason 'var Date' and other variables that shadow builtin classes or fields can still be deleted.
This prevents Torbutton from hooking the Date object in such a way that it can't be recovered to reveal the original timezone.
I've updated the cases at that URL to include XPCNativeWrapper, which actually *is* properly marked with DontDelete when shadowed with var, and window.screen and window.history, which cannot be shadowed with var variables.
Interestingly, the behavior of XPCNativeWrapper changes in FF 3.0. In FF 3.0, a var XPCNativeWrapper doesn't even seem to shadow the builtin. However, a global scope variable does, but is of course deletable.
The Tor Project / Electronic Frontier Foundation is paying to have this bug fixed.
"If you know C++ and/or Firefox internals, we should be able to pay you for your time to address these issues and shepherd the relevant patches through Mozilla's review process."