Target _Blank - The Infamous Issue

This is one of those vulnerabilities which hasn't got enough spotlight, and therefore vendors are still reluctant to fix it. Some of the vendors do not consider this a vulnerability at all. Here via this blog post, I would like to highlight this issue, and also possible workaround(s).

What is "target="_blank"?

If you have done the HTML coding you must be aware of the target=_blank when you write your links via href. As per definition1, the target attribute specifies where to open the linked document. The issue is very much when it tells the browser to open it in new windows/ tab. During this, the page we are linking in new window/tab has partial access to the parent linker via window.opener.location object. Therefore the new page can overwrite the location of the previous (or parent linker) and open a phishing page or execute a javascript.

Demo

I have created a sample JS file and you can test it by including in the <body> of your test.html page: <script type="text/javascript" src="https://qb.is/phishing-js"></script> Once completed, if you include a link <a href="yoursite.xx/test.html" target="_blank">your site</a> or just include your website in some social networking sites like "facebook", they auto-add the target=_blank to open in a new window. Voila! You can then redirect the parent linker page to a new location.

Demo: In this demo, Facebook window redirects/opens to this blog post

Fix/ Workaround:

Refer the following table2 for understanding the various link types/ values to fix this issue. It can be fixed by the parent-website on including rel=noopenerand rel="noopener noreferrer" (firefox fix) in the href code. This will disable the new window to have access to window.opener object. Also, if you are using the window.open() function, do append the following measures,

var newWINDOW = window.open();
newWINDOW.opener = null;

Cheers & be safe.


❮❮ NIST Digital Auth and Password Rules

Ghost Blog and custom URL Shortening ❯❯


Rishi Narang

I'm a hacker. I find inventive/ intuitive solutions to problems. I write open-source code, help out people where I can - particularly if it involves a clever technical solution. I'm based in France.