It's a JavaScript engine bug and JS is disabled by default. Still important, but I question whether anyone who enables JS in Tor is worth compromising.
Because the web isn't practically browsable without js, so rather than users fiddling with noscript and ending up disabling a ton of security features, instead they just turned js on.
