Target=”_blank” — the most underestimated vulnerability ever
People using target=’_blank’ links usually have no idea about this curious fact:
The page we’re linking to gains partial access to the source page via the window.opener object.
Example attack: create a fake “viral” page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank) and every time someone clicks the link — execute this
window.opener.location = ‘https://fakewebsite/facebook.com/PHISHING-PAGE.html';
…redirecting to a page that asks the user to re-enter her Facebook password.
How to fix
Add this to your outgoing links.
Update: FF does not support “noopener” so add this.
Remember, that every time you open a new window via window.open(); you’re also “vulnerable” to this, so always reset the “opener” property
var newWnd = window.open();
newWnd.opener = null;
PS. Interestingly, Google doesn’t seem to care.
Originally published on Founder’s blog