Avoid
target='_blank' attribute without rel='noopener noreferrer' JS-0422Using target="_blank" without rel="noreferrer" (which implies rel="noopener") is a security risk in older browsers: see https://mathiasbynens.github.io/rel-noopener/#recommendations
15 </ul>
16 <button>Login</button>
17 <SideBar></SideBar>
18 <a href="javascript:void(0)" target='_blank'>FAQs</a>19 </>
20 );
21}Using target="_blank" without rel="noreferrer" (which implies rel="noopener") is a security risk in older browsers: see https://mathiasbynens.github.io/rel-noopener/#recommendations
15 </ul>
16 <button>Login</button>
17 <SideBar></SideBar>
18 <a href="javascript:void(0)" target='_blank'>FAQs</a>19 </>
20 );
21}
Description
When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target='_blank' attribute. Using this attribute unaccompanied by rel='noreferrer', however, is a severe security vulnerability.
Using target='_blank' links grants the page we are linking to a partial access to the source page via the window.opener object.
The newly opened tab can then change the window.opener.location to some phishing page. Or execute some JavaScript on the opener page on their behalf.
Since the users trust the page that is already opened, they won't get suspicious and this might result in a security risk.
Bad Practice
// Bad: Example 1
var Hello = <a target='_blank' href="http://example.com/"></a>
// Bad: Example 2
var Hello = <a target='_blank' href={dynamicLink}></a>
Recommended
// Example 1
var Hello = <p target="_blank"></p>
// Example 2
var Hello = <a target="_blank" rel="noreferrer" href="http://example.com"></a>
// Example 3
var Hello = <a target="_blank" rel="noopener noreferrer" href="http://example.com"></a>
// Example 4
var Hello = <a target="_blank" href="relative/path/in/the/host"></a>
// Example 5
var Hello = <a target="_blank" href="/absolute/path/in/the/host"></a>
// Example 6
var Hello = <a></a>