This is one of those vulnerabilities which hasn't got enough spotlight, and therefore vendors are still reluctant to fix it. Some of the vendors do not consider this a vulnerability at all. Here via this blog post, I would like to highlight this issue, and also possible workaround(s).
What is "target="_blank"?
If you have done the HTML coding you must be aware of the
target=_blank when you write your links via
href. As per definition1, the
target attribute specifies where to open the linked document. The issue is very much when it tells the browser to open it in new windows/ tab. During this, the page we are linking in new window/tab has partial access to the parent linker via
I have created a sample JS file and you can test it by including in the
<body> of your test.html page:
<a href="yoursite.xx/test.html" target="_blank">your site</a> or just include your website in some social networking sites like "facebook", they auto-add the target=_blank to open in a new window. Voila! You can then redirect the parent linker page to a new location.
Demo: In this demo, Facebook window redirects/opens to this blog post
Refer the following table2 for understanding the various link types/ values to fix this issue. It can be fixed by the parent-website on including
rel="noopener noreferrer" (firefox fix) in the href code. This will disable the new window to have access to window.opener object. Also, if you are using the window.open() function, do append the following measures,
var newWINDOW = window.open(); newWINDOW.opener = null;
Cheers & be safe.