When a link opens a URL in a new tab with target="_blank", it is very simple for the opened page to change the location of the original page because the JavaScript variable window.opener is not null and thus window.opener.location can be set by the opened page. This exposes the user to very simple phishing attacks.

Imagine a link posted on a comment of a popular web site (say: "http://example.com/dangerous") that opens a new tab that changes the URL of the original page to "http://example.com/dangerous". On "http://example.com/dangerous" you land at a fake login page similar to the one at "http://example.com/dangerous" but controlled by the hacker and asking the user to log in again, pretending that the session just timed-out.

To prevent pages from abusing window.opener, use rel=noopener on <a href=> to force its value to be null on the opened pages.

In Chrome 88+, Firefox 79+ or Safari 12.1+ target=_blank on anchors implies rel=noopener which make the protection enabled by default.

Ask Yourself Whether

There is a risk if you answered yes to all of those questions.

Recommended Secure Coding Practices

Sensitive Code Example

<a href="http://example.com/dangerous" target="_blank"> <!-- Sensitive; "window.opener" may not null on the new tab/window and could be changed by http://example.com/dangerous -->

<a href="{{variable}}" target="_blank"> <!-- Sensitive  -->

Compliant Solution

<a href="http://petssocialnetwork.io" target="_blank" rel="noopener"> <!-- Compliant -->

Exceptions

No Issue will be raised when href contains a hardcoded relative url as there it has less chances of being vulnerable. An url is considered hardcoded and relative if it doesn't start with http:// or https://, and if it does not contain any of the characters {}$()[]

<a href="internal.html" target="_blank" > <!-- Compliant -->

See