target="_blank" vulnerability
by Blank Blake Dietz
Here's a demo
Who is affected?
- Any website that allows user input which contains anchor tags.
How does it work?
- Setting the value target="_blank" on anchor tags
- Using the equivalent js apiĀ
-
var w = window.open("https://foo.com");
-
/**
* This is executed from document B, so window is document B's global name space.
* window.opener is a reference to document A.
*/
if (window.opener) {
// Here is where document B accesses document A
window.opener.location = "https://f00.com";
}How do you prevent it?
- Everything except Firefox
-
<a href="http://www.foo.com" rel="noopener" target="_blank">Hello click me</a>
-
- Firefox
-
<a href="https://www.foo.com" rel="noopener noreferrer" target="_blank">Hello click me</a>
-
- JS Fix
-
var w = window.open("https://foo.com", , "noopener noreferrer");
-
Is this worth fixing?
Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can't be meaningfully mitigated by any single website; in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones.
target="blank"
By Blake A Dietz
