target="_blank" vulnerability

by Blank Blake Dietz

Here's a demo

Who is affected?

  • Any website that allows user input which contains anchor tags.

How does it work?

  • Setting the value target="_blank" on anchor tags
  • Using the equivalent js apiĀ 
    • var w = window.open("https://foo.com");
/**
* This is executed from document B, so window is document B's global name space.
* window.opener is a reference to document A.
*/
if (window.opener) {  
  // Here is where document B accesses document A 
  window.opener.location = "https://f00.com";
}

How do you prevent it?

  • Everything except Firefox
    • <a href="http://www.foo.com" rel="noopener" target="_blank">Hello click me</a>
  • Firefox
    • <a href="https://www.foo.com" rel="noopener noreferrer" target="_blank">Hello click me</a>
  • JS Fix
    • var w = window.open("https://foo.com", , "noopener noreferrer");

Is this worth fixing?

Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can't be meaningfully mitigated by any single website; in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones.

target="blank"

By Blake A Dietz

target="blank"

  • 1,367