A newly opened window having access back to the originating window could allow basic phishing attacks (the
window.opener object is not
null and thus
window.opener.location can be set to a malicious website by the opened page).
For instance, an attacker can put a link (say: "http://example.com/mylink") on a popular website that changes, when opened, the original page to
"http://example.com/fake_login". On "http://example.com/fake_login" there is a fake login page which could trick real users to enter their
Ask Yourself Whether
- The application opens untrusted external URL.
There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
noopener to prevent untrusted pages from abusing
Note: In Chrome 88+, Firefox 79+ or Safari 12.1+
target=_blank on anchors implies
rel=noopener which make the protection
enabled by default.
Sensitive Code Example
window.open("https://example.com/dangerous", "WindowName", "noopener");