A newly opened window having access back to the originating window could allow basic phishing attacks (the window.opener object is not
null and thus window.opener.location can be set to a malicious website by the opened page).
For instance, an attacker can put a link (say: "http://example.com/mylink") on a popular website that changes, when opened, the original page to
"http://example.com/fake_login". On "http://example.com/fake_login" there is a fake login page which could trick real users to enter their
credentials.
Ask Yourself Whether
- The application opens untrusted external URL.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
Use noopener to prevent untrusted pages from abusing window.opener.
Note: In Chrome 88+, Firefox 79+ or Safari 12.1+ target=_blank on anchors implies rel=noopener which make the protection
enabled by default.
Sensitive Code Example
<a href="http://example.com/dangerous" target="_blank"> <!-- Sensitive -->
<a href="{{variable}}" target="_blank"> <!-- Sensitive -->
Compliant Solution
To prevent pages from abusing window.opener, use rel=noopener on <a href=> to force its value to be
null on the opened pages.
<a href="http://petssocialnetwork.io" target="_blank" rel="noopener">
Exceptions
No Issue will be raised when href contains a hardcoded relative url as there it has less chances of being vulnerable. An url is
considered hardcoded and relative if it doesn’t start with http:// or https://, and if it does not contain any of the
characters {}$()[]
<a href="internal.html" target="_blank" >
See
