Anyone who was using Windows for TOR browsing was already asking for trouble. Anyone browsing outside a "sealed" VM setup such as Whonix was also asking for trouble.
If you just run tor inside the VM, the above is true. If all the traffic out of the VM is routed through tor, then the IP address they will get is a tor (not clearnet) IP address. In order to get a clearnet IP address off a VM, you'll need to exploit the VM itself, a task clearly much harder than misusing javascript in a browser.
