target="_blank" vulnerability

by Blank Blake Dietz

Here's a demo

Who is affected?

  • Any website that allows user input which contains anchor tags.

How does it work?

  • Setting the value target="_blank" on anchor tags
  • Using the equivalent js apiĀ 
    • var w ="");
* This is executed from document B, so window is document B's global name space.
* window.opener is a reference to document A.
if (window.opener) {  
  // Here is where document B accesses document A 
  window.opener.location = "";

How do you prevent it?

  • Everything except Firefox
    • <a href="" rel="noopener" target="_blank">Hello click me</a>
  • Firefox
    • <a href="" rel="noopener noreferrer" target="_blank">Hello click me</a>
  • JS Fix
    • var w ="", , "noopener noreferrer");

Is this worth fixing?

Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can't be meaningfully mitigated by any single website; in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones.


By Blake A Dietz


  • 1,276