Summary

Opened windows through normal hrefs with target="_blank" can modify window.opener.location and replace the parent webpage with something else, even on a different origin.

While this doesn't allow script execution, it does allow phishing attacks that silently replace the parent tab.

Impact

If the links lack of rel="noopener noreferrer" attribute, third party site can change the URL of source tab using window.opener.location.assign and trick the user as if he is still in a trusted page and lead him to enter his secret information or credentials to this malicious copy.

Remediation

To prevent pages from abusing window.opener, use rel=noopener. This ensures window.opener is null in Chrome 49 and Opera 36.

For older browsers and in Firefox, you could use rel=noreferrer which also disables the Referer HTTP header.

<a href="..." target="_blank" rel="noopener noreferrer">...</a>
Classifications
OWASP 2013-A5
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities

Select Category

OR

Search Vulnerability

;
Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO