Skip to main content
HashnodeePlus.DEV - Exploring Technology with David NguyenePlus.DEV - Exploring Technology with David Nguyen

Command Palette

Search for a command to run...

Avoid target='_blank' attribute without rel='noopener noreferrer'

Updated
1 min read
Avoid target='_blank' attribute without rel='noopener noreferrer'
D
David Nguyen

A passionate full-stack developer from @ePlus.DEV

Part of seriesSecurity

Description

A malicious actor can gain full control over the user's DOM window object. This can lead to phishing attacks such as fake login prompts or password alerts being shown to the user.

Using target='_blank' links grants the page we are linking to a partial access to the source page via the window.opener object.

The newly opened tab can then change the window.opener.location to some phishing page. Or execute some JavaScript on the opener page on their behalf. Since the users trust the page that is already opened, they won't get suspicious and this might result in a security risk.

Bad Practice

  <a href="http://example.com" target="_blank" >link</a>

<a href="http://example.com" target="_blank" rel="noopener noreferrer">link</a>

References

Comments

Join the discussion

No comments yet. Be the first to comment.

Security

Part 1 of 2

Security involves measures and practices implemented to protect people, information, assets, and systems from potential threats or harm. It encompasses physical security, cybersecurity, and personals

Up next

Laravel SMTP Crack: Unveiling the Vulnerability with Laravel SMTP Checker by XCATZE

I got the feeling that it works on non-SSL web apps, with just IP or unsecured domain names, and also when APP_DEBUG=true on dev or staging. Debug should be disabled in production. Spammers have one goal, to send as much spam as cheaply as possib...

More from this blog

E

ePlus.DEV - Exploring Technology with David Nguyen

1229 posts

A passionate full-stack developer from VIETNAM.