DEV Community 👩‍💻👨‍💻

Discussion on: target="_blank" is a security risk?

Collapse
thehassantahir profile image
Hassan Tahir Author • Edited on

@deathshadow60 No hard feelings, Have you ever tried to exploit this way?

Collapse
deathshadow60 profile image
deathshadow60

As I said, "I'm going to have to test this" -- and I just did, and it doesn't do what's claimed in Vivaldi or Firefox. Did some research and this security hole was apparently plugged years ago.

Thread Thread
codingjlu profile image
codingjlu

It's been plugged, but realize there are people who haven't updated their browsers since years ago.

Thread Thread
ravavyr profile image
Ravavyr

"what" has been fixed exactly?
Isn't this still a potential attack vector?
thecodest.co/blog/web-app-security...

Thread Thread
deathshadow60 profile image
deathshadow60 • Edited on

In the case that article outlines, at least for me in FF, Vivaldi, and Chrome (Winblows 10 and Linsux) window.opener is NULL meaning that code doesn't work. Their codeSandbox example throwing the following error:

TypeError Cannot set properties of null (setting 'location') HTMLAnchorElement.link.onclick

window.opener is null, As such they're only infecting two things. And Jack left town.

Technically if you open with _blank anyways unless you set rel="opener", there shouldn't be window.opener available on the resulting page either nor should it impact http_referer. As per what MDN says on it:

developer.mozilla.org/en-US/docs/W...

and I quote:

Windows opened because of links with a target of _blank don't get an opener, unless explicitly requested with rel=opener.

They also suggest setting Cross-Origin-Opener-Policy to same-origin in your CSP, which is good advice if you really care about it and are using the middle finger to accessibility.

As such the only people likely to get infected by it are those who don't update their browsers, in which case there are hundreds if not thousands of vulnerabilities they're open to, and they get what's coming to them.