<h2 id="heading-description">Description</h2>
A malicious actor can gain full control over the user's DOM window object. This can lead to phishing attacks such as fake login prompts or password alerts being shown to the user.
Using <code>target='_blank'</code> links grants the page we are linking to a partial access to the source page via the <code>window.opener</code> object.
The newly opened tab can then change the <code>window.opener.location</code> to some phishing page. Or execute some JavaScript on the opener page on their behalf. Since the users trust the page that is already opened, they won't get suspicious and this might result in a security risk.
<h3 id="heading-bad-practice">Bad Practice</h3>
<pre><code class="lang-apache"> &lt;a href="http://example.com" target="_blank" &gt;link&lt;/a&gt;
</code></pre>
<h3 id="heading-recommended">Recommended</h3>
<pre><code class="lang-apache">&lt;a href="http://example.com" target="_blank" rel="noopener noreferrer"&gt;link&lt;/a&gt;
</code></pre>
<h2 id="heading-references">References</h2>
<ul>
<li><a target="_blank" href="https://owasp.org/Top10/A05_2021-Security_Misconfiguration/">OWASP A05:2021 - Security Misconfiguration</a>
</li>
<li><a target="_blank" href="https://owasp.org/www-community/attacks/Reverse_Tabnabbing">Reverse Tabnabbing</a>
</li>
<li><a target="_blank" href="https://web.dev/external-anchors-use-rel-noopener/">Links to cross-origin destinations are unsafe</a>
</li>
<li><a target="_blank" href="https://mathiasbynens.github.io/rel-noopener/">rel-noopener</a>
</li>
</ul>

## **Description**

A malicious actor can gain full control over the user's DOM window object. This can lead to phishing attacks such as fake login prompts or password alerts being shown to the user.

Using `target='_blank'` links grants the page we are linking to a partial access to the source page via the `window.opener` object.

The newly opened tab can then change the `window.opener.location` to some phishing page. Or execute some JavaScript on the opener page on their behalf. Since the users trust the page that is already opened, they won't get suspicious and this might result in a security risk.

### **Bad Practice**

```apache
 <a href="http://example.com" target="_blank" >link</a>
```

### **Recommended**

```apache
<a href="http://example.com" target="_blank" rel="noopener noreferrer">link</a>
```

## **References**

* [OWASP A05:2021 - Security Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)
 
* [Reverse Tabnabbing](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
 
* [Links to cross-origin destinations are unsafe](https://web.dev/external-anchors-use-rel-noopener/)
 
* [rel-noopener](https://mathiasbynens.github.io/rel-noopener/)

A malicious actor can gain full control over the user's DOM window object. This can lead to phishing attacks such as fake login prompts or password alerts b

Avoid target='_blank' attribute without rel='noopener noreferrer'

Description

Bad Practice

References

A passionate full-stack developer from VIETNAM.


"Exploring Technology with David Nguyen" - Join me on a tech odyssey as we delve into the latest advancements, coding wonders, and digital frontiers. Let's embrace the tech world together!

Avoid target='_blank' attribute without rel='noopener noreferrer'

Table of contents

Description

Bad Practice

Recommended

References