An outgoing link has the parameter target=’_blank’ while not utilizing rel=noopener. When such a link is clicked, the target site can modify the location of the original window.

What can happen?

A great demo can be found here:

There is a link to on When a user click on that link is opened in a new tab while is in the original tab. However, has now control over the original tab as well and can change the address there to whatever they would want. This method can be used in phishing when trying to trick the visitor.


The recommended remediation method is to stop using target=’_blank’. Let the user choose by themselves how the link should be opened, do not force ‘open in new tab’ onto them.

However, if you still want to use target=’_blank’ make sure to add rel=noopener to the a-tag. This prevents the new page from controlling the original tab.