Above is a link to my tribute page, I just completed it today. Please do check it and tell me your thoughts about it? Thank you.
Hi @eazy,
- Target blank vulnerability
<a href="https://www.activistpost.com/2012/01/10-inventions-of-nikola-tesla-that.html" target="_blank">
MDN documentation:
<a>: The Anchor element - HTML: HyperText Markup Language | MDN
Note: When using target, consider adding rel=ânoopener noreferrerâ
to avoid exploitation of the window.opener API.
TL;DR If window.opener is set, a page can trigger a navigation in the opener regardless of security origin.
Target="_blank" - the most underestimated vulnerability ever
People using target=â_blankâ links usually have no idea about this curious fact:
The page weâre linking to gains partial access to the linking page via the window.opener object.
The newly opened tab can, say, change the window.opener.location to some phishing page. Or execute some JavaScript on the opener-page on your behalf⌠Users trust the page that is already opened, they wonât get suspicious.
How to fix
Add this to your outgoing links.
rel="noopener"
Update: FF does not support ânoopenerâ so add this.
rel="noopener noreferrer"
Remember, that every time you open a new window via window.open(); youâre also âvulnerableâ to this, so always reset the âopenerâ property
var newWnd = window.open();
newWnd.opener = null;
Cheers and happy coding
Thanks for your reply. I will add that property as recommended.