target='_blank' links usually have no idea about this curious fact:
The page we're linking to gains partial access to the linking page via the
The newly opened tab can then change the
window.opener.location to some phishing page. Users trust the page that is already opened, they won't get suspicious.
Example attack scenario
window.opener.location = 'https://fakewebsite/facebook.com/page.html';which redirects the Facebook tab to your phishing page, asking the user to re-enter her Facebook password.
Add this to your outgoing links.
Update: FF does not support "noopener" so add this.
Remember, that every time you open a new window via
window.open(); you're also "vulnerable" to this, so always reset the "opener" property
var newWnd = window.open(); newWnd.opener = null;
PS. Interestingly, Google doesn't seem to care.
by Alex. CEO, founder