When a link opens a URL in a new tab with ``++target="_blank"++``, it is very simple for the opened page to change the ``++location++`` of the original page because the JavaScript variable ``++window.opener++`` is not ``++null++`` and thus ``++window.opener.location++`` can be set by the opened page. This exposes the user to very simple phishing attacks.
Imagine a link posted on a comment of a popular web site (say: "http://example.com/dangerous") that opens a new tab that changes the URL of the original page to "http://example.com/dangerous". On "http://example.com/dangerous" you land at a fake login page similar to the one at "http://example.com/dangerous" but controlled by the hacker and asking the user to log in again, pretending that the session just timed-out.
To prevent pages from abusing ``++window.opener++``, use ``++rel=noopener++`` on ``++<a href=>++`` to force its value to be ``++null++`` on the opened pages.
In Chrome 88+, Firefox 79+ or Safari 12.1+ ``++target=_blank++`` on anchors implies ``++rel=noopener++`` which make the protection enabled by default.
== Ask Yourself Whether
* The application opens untrusted external URL in a new tab using ``++target=_blank++``
* The application supports web browsers before Chrome 88, Firefox 79 or Safari 12.1
There is a risk if you answered yes to all of those questions.
== Recommended Secure Coding Practices
* Use ``++rel=noopener++`` on ``++<a href=>++`` prevent untrusted pages from abusing ``++window.opener++``.
== Sensitive Code Example
----
<a href="http://example.com/dangerous" target="_blank"> <!-- Sensitive; "window.opener" may not null on the new tab/window and could be changed by http://example.com/dangerous -->
No Issue will be raised when ``++href++`` contains a hardcoded relative url as there it has less chances of being vulnerable. An url is considered hardcoded and relative if it doesn't start with ``++http://++`` or ``++https://++``, and if it does not contain any of the characters {}$()[]
