paint-brush
Unsafe use of target=”_blank”by@sachindra149
5,368 reads
5,368 reads

Unsafe use of target=”_blank”

by SachindraApril 28th, 2020
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Unsafe use of target=”_blank” attribute to open a new webpage can create a major security threat to your application. The issue is the webpage that we are linking our existing page to gains a partial access to the linking page, or in other words, the target page or URL gains access to our parent page from where the user is redirected to a new URL. This happens through the windowopener object of Javascript. The attacker can change the.opener to some malicious page and also the parent page. In case the. parent page has the same look and feel of the user intended page, he might end up sharing. credentials or secure information.

Company Mentioned

Mention Thumbnail
featured image - Unsafe use of target=”_blank”
Sachindra HackerNoon profile picture

Developers have been frequently using this attribute to open a new webpage. But this attribute, though looks pretty simple, can create a major security threat to your application.

The threat associated is called Reverse Tabnabbing. The issue is the webpage that we are linking our existing page to gains a partial access to the linking page, or in other words, the target page or url gains a partial access to our parent page from where the user is redirected to a new url.

This happens through the window.opener object of Javascript. The attacker can change the 

window.opener.location
 to some malicious page and also the parent page. In case the parent page has the same look and feel of the user intended page, he might end up sharing credentials or secure information assuming that the webpage is secure.

To prevent pages from misusing window.opener property, we use

rel="noopener"
. This ensures that window.opener is assigned to NULL.

This works in Chrome 49 and above, Opera 36 and above, Firefox 52 and above, Desktop Safari 10.1+ and iOS Safari 10.3+. Though for older browsers,

rel="noreferrer"
 works pretty fine. So, as a combination, we can use 
rel="noopener noreferrer"
 attribute.

Also, remember, whenever we open a new window using

window.open() 
property, we’re also vulnerable to this, so, its always advisable to reset the 
"opener"
 property.