Tor Browser 9.0.7 on Windows 10 build 10586 is vulnerable to information disclosure. This could allow local attackers to bypass the intended anonymity feature and obtain information regarding the onion services visited by a local user. This can be accomplished by analyzing RAM memory even several hours after the local user used the product. This occurs because the product doesn't properly free memory.
Tor Browser - 9.0.7
Local
Information Disclosure
https://www.sciencedirect.com/science/article/pii/S0167404821001358
For the PoC.sh to work, a memory dump of the user work station should be granted. It will provide information about visited sites even after 10 hours from the user interaction.
You can find the shell script that automate the process of finding the visited onion services in the files section. The following Figure shows the Report file output which indicates the visited sites and additional information:
Malak Alfosail