People using
target='_blank'
links usually have no idea about this curious fact:
The page we're linking to gains partial access to the linking page via the
window.opener
object.
The newly opened tab can, say, change the
window.opener.location
to some phishing page. Or execute some JavaScript on the opener-page on your behalf... Users trust the page that is already opened, they won't get suspicious.
Example attack: create a fake "viral" page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank) and every time someone clicks the link - execute
window.opener.location = 'https://fakewebsite/facebook.com/PHISHING-PAGE.html';…redirecting to a page that asks the user to re-enter her Facebook password.
How to fix
Add this to your outgoing links.
rel="noopener"
Update: FF does not support "noopener" so add this.
rel="noopener noreferrer"
Remember, that every time you open a new window via
window.open();
you're also "vulnerable" to this, so always reset the "opener" propertyvar newWnd = window.open(); newWnd.opener = null;
PS. Interestingly, Google doesn't seem to care.
from : https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/