When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target='_blank' attribute. Using this attribute unaccompanied by rel='noreferrer', however, is a severe security vulnerability.

Using target='_blank' links grants the page we are linking to a partial access to the source page via the window.opener object.

The newly opened tab can then change the window.opener.location to some phishing page. Or execute some JavaScript on the opener page on their behalf. Since the users trust the page that is already opened, they won't get suspicious and this might result in a security risk.

Bad Practice

// Bad: Example 1
var Hello = <a target='_blank' href="http://example.com/"></a>

// Bad: Example 2
var Hello = <a target='_blank' href={dynamicLink}></a>

Recommended

// Example 1
var Hello = <p target="_blank"></p>

// Example 2
var Hello = <a target="_blank" rel="noreferrer" href="http://example.com"></a>

// Example 3
var Hello = <a target="_blank" rel="noopener noreferrer" href="http://example.com"></a>

// Example 4
var Hello = <a target="_blank" href="relative/path/in/the/host"></a>

// Example 5
var Hello = <a target="_blank" href="/absolute/path/in/the/host"></a>

// Example 6
var Hello = <a></a>

References

OWASP A05:2021 - Security Misconfiguration
Reverse Tabnabbing

deepsourcestatus / test-repository

No ignore rules found