js blunder - what next? : OpSec | Torhoo darknet markets

Safest setting does disable JS. I know this for a fact due to dark web sites Ive been on (non illegal) that used java script aspects that did not work with Safest Setting only turned on.

With JavaScript enabled you run the risk of leaking your IP address, geolocation & being tracked.

What Are JavaScript Vulnerabilities?

JavaScript vulnerabilities refer to weaknesses in the JavaScript code running within a web browser that can be exploited by attackers to execute malicious actions. These vulnerabilities can lead to a wide range of issues, including:

• Cross-site scripting (XSS): This occurs when attackers inject malicious JavaScript into a website, which is then executed in a user’s browser, potentially stealing cookies, credentials, or other sensitive information.
• Browser exploits: Malicious JavaScript code can sometimes take advantage of browser-specific flaws to execute arbitrary commands, compromise system security, or even install Malware.
• Fingerprinting: Websites can use JavaScript to gather a range of data points about a user’s device, such as screen resolution, installed plugins, fonts, and more, to uniquely identify the user.
• Tracking and surveillance: JavaScript can be used to track users across websites, building a detailed picture of their online activities, even if they are using tools like Tor to mask their IP address.

This depend on your operating system. Are you using tor browser only on your OS without anything else? There is a risk of IP disclosure. If you are using something like Tails or Whonix the leak possibility is less as traffic is all forced through tor. The problem you are facing more is that any information you provided to vendors who may have been arrested can be used against you.

on a seized website you run the risk of multiple ways of being identified, assuming a straight forward approach where you are identified by IP address alone it would probably be too much of a hassle to "go after you" for being a customer and the relatively low amount of money being exchanged

but to comment on some of the other replies, XSS wouldn't make sense on a seized website, they already control the site no need to include some kind of xss
fingerprinting is possible on a seized site, but assuming you're using the tor browser and navigating to a .onion, the fingerprinting would most likely be useless or little value (to note javascript can't get your screen resolution only your windows size for your browser), javascript could be used to track users across websites, provided they had a mechanism to do so on multiple websites which with a single seized domain, they wouldn't unless they had some coordination with google or facebook or something seems very unlikely/impractical and would require you to go to each of these sites, which a uniquely fingerprintable browser and have cookies from facebook/google/seized domain (aka the amount of work would make this virtually impossible unless you were osama bin laden or something)

mitigations:
use tor browser, dont resize the browser, use stock default settings (double check that javascript is disabled)
dont install extensions in your tor browser
go directly to the domain as opposed to clicking links (or just copy the link and manually enter it in)

suppose you wanted to allow javascript i'd just make sure you were in a public place public wifi implementing some common sense opsec