The Target Blank Vulnerability


Take home point: Be careful with link targets.

"When a website uses target="_blank" on their links in order to open a new tab or window, that website gives the new page access to the existing window through the window.opener API, allowing it a few permissions. Some of these permissions are automatically negated by cross-domain restrictions, but window.location is fair game.

But wait, there's more

Not only is this an issue with phishing attacks, it is also a privacy concern because the newly opened website has ongoing access to the browsing location of the original tab. It can poll for this information and get the answer. Thankfully this behavior seems to fall under the cross-domain restrictions, so while I might gain access to certain ongoing information you might not expect me to know, there are sane restrictions that should likely apply to the entire spec."

Code take home points:

//Script to remove the window.opener vulnerability in JS
//use especially for Safari browsers
var otherWindow =;
otherWindow.opener = null;
otherWindow.location = url;


<!-- HTML method of negating the opener in Chrome and Firefox -->
<a href="" target="_blank" rel="noopener noreferrer"><p>Hello, World!</p></a>

You can test if it is happening on your site: Run this in the console of the page opened by the clicked link:

if (window.opener) {
  window.opener.location = ""+document.referrer;

You can test it out on the links in this post. Or here


Chimamanda Corner: "Forget about likability"

Chimamanda Corner: "Forget about likability"

Hackathons: A shot of experience

Hackathons: A shot of experience