Knowledge Base

Back to Knowledge Base

Support Center

External Links using target='_blank'

Last Updated: Apr 21, 2017 11:47PM CEST

An outgoing link has the parameter target=’_blank’ while not utilizing rel=noopener. When such a link is clicked, the target site can modify the location of the original window.

What can happen?

A great demo can be found here:

There is a link to on When a user click on that link is opened in a new tab while is in the original tab. However, has now control over the original tab as well and can change the address there to whatever they would want. This method can be used in phishing when trying to trick the visitor.


The recommended remediation method is to stop using target=’_blank’. Let the user choose by themselves how the link should be opened, do not force ‘open in new tab’ onto them.

However, if you still want to use target=’_blank’ make sure to add rel=noopener to the a-tag. This prevents the new page from controlling the original tab.

seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found