Updated Aug 25 2021 :: by Alex Yumashev

People using target='_blank' links usually have no idea about this curious fact:

The linked page gains partial access to the linking page via the window.opener object.

The newly opened tab can then change the window.opener.location to some phishing page. Users trust the page that is already opened, they won't get suspicious.

Example attack scenario

  • Create a fake "viral" page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank).
  • Create a "phishing" website at https://fakewebsite/facebook.com/page.html for example
  • Put this code into your "viral" page
    window.opener.location = 'https://fakewebsite/facebook.com/page.html';
    which redirects the Facebook tab to your phishing page, asking the user to re-enter their Facebook password.

How to fix

Add this to your outgoing links.


Update: FF does not support "noopener" so add this.

rel="noopener noreferrer"

Remember, that every time you open a new window via window.open(); you're also "vulnerable" to this, so always reset the "opener" property

var newWnd = window.open();
newWnd.opener = null;

PS. Interestingly, Google doesn't seem to care.

'Target="_blank" - the most underestimated vulnerability ever' was written by Alex Yumashev
Alex Yumashev
Alex has founded Jitbit in 2005 and is a software engineer passionate about customer support.

Subscribe comments Tweet