An outgoing link has the parameter target=’_blank’ while not utilizing rel=noopener. When such a link is clicked, the target site can modify the location of the original window.

What can happen?

A great demo can be found here: https://dev.to/ben/the-targetblank-vulnerability-by-example

There is a link to y.com on x.com. When a user click on that link y.com is opened in a new tab while x.com is in the original tab. However, y.com has now control over the original tab as well and can change the address there to whatever they would want. This method can be used in phishing when trying to trick the visitor.

Remediation

The recommended remediation method is to stop using target=’_blank’. Let the user choose by themselves how the link should be opened, do not force ‘open in new tab’ onto them.

However, if you still want to use target=’_blank’ make sure to add rel=noopener to the a-tag. This prevents the new page from controlling the original tab.

Resources