The infamous issue of target _blank code


Full article

This is one of those vulnerabilities which hasn't got enough spotlight, and therefore vendors are still reluctant to fix it. Some of the vendors do not consider this a vulnerability at all. Here via this blog post, I would like to highlight this issue, and also possible workaround(s).

What is "target="_blank"?

If you have done the HTML coding you must be aware of the target=_blank when you write your links via href. As per definition[1], the target attribute specifies where to open the linked document. The issue is very much when it tells the browser to open it in new windows/ tab. During this, the page we are linking in new window/tab has partial access to the parent linker via window.opener.location object. Therefore the new page can overwrite the location of the previous (or parent linker) and open a phishing page or execute a javascript.


I have created a sample JS file and you can test it by including in the <body> of your test.html page: <script type="text/javascript" src=""></script> Once completed, if you include a link <a href="yoursite.xx/test.html" target="_blank">your site</a> or just include your website in some social networking sites like "facebook", they auto-add the target=_blank to open in a new window. Voila! You can then redirect the parent linker page to a new location.

Demo: In this demo, Facebook window redirects/opens to this blog post

Fix/ Workaround:

Refer the following table[2] for understanding the various link types/ values to fix this issue. It can be fixed by the parent-website on including rel=noopenerand rel="noopener noreferrer" (firefox fix) in the href code. This will disable the new window to have access to window.opener object. Also, if you are using the function, do append the following measures,

var newWINDOW =;
newWINDOW.opener = null;

Cheers & be safe.

  1. ↩︎

  2. ↩︎