Security Risk with target=”_blank”

Let's talk about an important topic and is Security. I think personal information and data that websites collect from us are vital. This week I decided to work on my portfolio website, where I learned this security risk.

When we work on a particular code where we need to provide a link to route a destination for our user, we have to create an a href=”” to give an internal route or external route if we want to direct the user whenever they click on a specific link we need to pass the code target=”_blank” which allow a click on the link to open a new window.

As of today new browser got fixed this type of issue for providing target=”_blank”. There are many ways to fix this issue when you want a link to open a new window, and I will give the code below how I was able to fix it.

Example attack scenario

• Create a fake “viral” page with cute cat pictures, jokes, or whatever, get it shared on Facebook (known for opening links via _blank).
• Create a “phishing” website at https://fakewebsite/facebook.com/page.html for example
• Put this code into your “viral” page

window.opener.location = 'https://fakewebsite/facebook.com/page.html';

• which redirects the Facebook tab to your phishing page, asking the user to re-enter their Facebook password.

How to fix it

Add this to your outgoing links.

rel="noopener"

Update: FF does not support “noopener” so add this.

rel="noopener noreferrer"

Remember that every time you open a new window via the window.open(); you're also "vulnerable" to this, so always reset the "opener" property

var newWnd = window.open();
newWnd.opener = null;