People using target='_blank'
links usually have no idea about this curious fact:
The linked page gains partial access to the linking page via the window.opener
object.
The newly opened tab can then change the window.opener.location
to some phishing page. Users trust the page that is already opened, they won't get suspicious.
Example attack scenario
https://fakewebsite/facebook.com/page.html
for examplewindow.opener.location = 'https://fakewebsite/facebook.com/page.html';which redirects the Facebook tab to your phishing page, asking the user to re-enter their Facebook password.
Add this to your outgoing links.
rel="noopener"
Update: FF does not support "noopener" so add this.
rel="noopener noreferrer"
Remember, that every time you open a new window via window.open();
you're also "vulnerable" to this, so always reset the "opener" property
var newWnd = window.open(); newWnd.opener = null;
PS. Interestingly, Google doesn't seem to care.