wasn't a 0-day it was a 37-day, which is why all the people with the new TBB are safe. There were two exploits to the best of my understanding, one relied on javascript but later they added one that exploited image tags, presumably in order to get the people they were missing because they had disabled javascript. Both of the exploits delivered the same payload that only works on Windows, and both of the vulnerabilities were fixed in the most recent Tor Browser. So if you were on Windows with outdated Tor Browser you are still probably fucked even if you had javascript off.