JS-0712 · Avoid `target='_blank'` attribute without `rel='noopener noreferrer'`

Avoid target='_blank' attribute without rel='noopener noreferrer' JS-0712

Security

Major

4 days ago — 2 years old

Using target="_blank" without rel="noopener noreferrer" is a security risk

javascript/packages/demo-nuxt/components/Tutorial.vue

 93              fill="currentColor"
 94            /></svg
 95        ></a>
 96        <a href="https://twitter.com/nuxt_js" target="_blank" 97          ><svg
 98            class="w-6 h-6 text-gray-600 hover:text-gray-800"
 99            xmlns="http://www.w3.org/2000/svg"

Using target="_blank" without rel="noopener noreferrer" is a security risk

javascript/packages/demo-nuxt/components/Tutorial.vue

 76        </p>
 77      </div>
 78      <div class="flex justify-center pt-4 space-x-2">
 79        <a href="https://github.com/nuxt/nuxt.js" target="_blank" 80          ><svg
 81            class="w-6 h-6 text-gray-600 hover:text-gray-800"
 82            xmlns="http://www.w3.org/2000/svg"

Using target="_blank" without rel="noopener noreferrer" is a security risk

javascript/packages/demo-nuxt/components/Tutorial.vue

 58          We recommend you take a look at the
 59          <a
 60            href="https://nuxtjs.org"
 61            target="_blank" 62            class="text-green-500 hover:underline"
 63            >Nuxt documentation</a
 64          >, whether you are new or have previous experience with the

Using target="_blank" without rel="noopener noreferrer" is a security risk

javascript/packages/demo-nuxt/components/Tutorial.vue

 11      <a
 12        class="flex justify-center pt-8 sm:pt-0"
 13        href="https://nuxtjs.org"
 14        target="_blank" 15      >
 16        <svg
 17          width="218"

Using target="_blank" without rel="noopener noreferrer" is a security risk

javascript/packages/demo-nuxt/components/Tutorial.vue

 93              fill="currentColor"
 94            /></svg
 95        ></a>
 96        <a href="https://twitter.com/nuxt_js" target="_blank" 97          ><svg
 98            class="w-6 h-6 text-gray-600 hover:text-gray-800"
 99            xmlns="http://www.w3.org/2000/svg"

Description

A malicious actor can gain full control over the user's DOM window object. This can lead to phishing attacks such as fake login prompts or password alerts being shown to the user.

Using target='_blank' links grants the page we are linking to a partial access to the source page via the window.opener object.

The newly opened tab can then change the window.opener.location to some phishing page. Or execute some JavaScript on the opener page on their behalf. Since the users trust the page that is already opened, they won't get suspicious and this might result in a security risk.

Bad Practice

  <a href="http://example.com" target="_blank" >link</a>

QuackatronHQ / Gigarepo

Bad Practice

Recommended

References