The target _blank vulnerability

Most of us have been using target='_blank' in our links. That is a popular but dangerous practice.

The problem

The page linked via target='_blank' has partial access to the linking page. That allows the linked page to open any other site on the linking page that the user came from.

This could be used in a simple phishing attack.

Example

A page that the user trusts has this link:

<a href="https://www.somesite.example.com" target="_blank">Click here</a>

After clicking this link, the site somesite.example.com gets access to window.opener and they could do something like:

window.opener.location = "https://www.unsafe.example.com/phishing";

The above code would open the unsafe site in the previous tab/window where the user came from. This is a phishing attack because the user trusts the site.

The problem also presents itself when opening a page with window.open().

Solution

We can fix this by cutting the backlink (opener object) between the parent and the child pages:

Use rel="noopener noreferrer" for HTML links.

<a href="https://www.somesite.example.com" target="_blank" rel="noopener noreferrer">Click here</a>

For pages opened with window.open(), cut the link by setting opener to null.

let blogPage = window.open("https://www.somesite.example.com");
blogPage.opener = null;

More information here.

Sources

02 Feb 2022

Security

Prateek Choudhary

Senior Software Developer

« Rails adds a limit of fetching 10 records when using pretty print Rails 7.1 handles long auto-generated index names with a limit »