target='_blank' links usually have no idea about this curious fact:
The page we're linking to gains partial access to the linking page via the
The newly opened tab can, say, change the
Example attack: create a fake "viral" page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank) and every time someone clicks the link - execute
window.opener.location = 'https://fakewebsite/facebook.com/PHISHING-PAGE.html';…redirecting to a page that asks the user to re-enter her Facebook password.
Add this to your outgoing links.
Update: FF does not support "noopener" so add this.
Remember, that every time you open a new window via
window.open(); you're also "vulnerable" to this, so always reset the "opener" property
var newWnd = window.open(); newWnd.opener = null;
PS. Interestingly, Google doesn't seem to care.
by Alex. CEO, founder