Dangerous target = "_ blank"

    Most of them create external links via target = "_ blank" and don’t know one interesting nuance - the page that we get in this way will gain partial control over the page that links to it through the js window.opener property .

    Through window.opener.location we can redirect to, for example, a phishing page. This is a kind of tabnabbing, only more advanced. Since the victim least expects page spoofing, in a previously opened, trusted browser tab.

    The problem is far from new, but still relevant, and as I see, not many people know about it.

    The problem also exists on facebook.

    For example - open a post, click on the link. We look at what happened with the tab on which we opened this post.


    He hid the publication in FB due to complaints about the need to restore access to the account after clicking on the link ( proof ). You can try to place the hidden publication on the sli.su/kitten.html page yourself or see how it works on

    the hub. The sli.su/kitten.html page has the following code:

    window.opener.location = 'https://sli.su/facebook.com/auth.html';
    

    It creates a redirect from a previously trusted page. This is because no one has informed the browser that the page being opened should not have access to the parent tab. At the time of publication, it works without problems in chrome 50, firefox 45, opera 36.

    Many sites sin this way, and some do not even consider this a problem “on their side” sites.google.com/site/bughunteruniversity/nonvuln/phishing-with -window-opener

    Options for solving the problem:

    1. Add to links:

    rel="noopener"
    

    It could also be

    rel="nofollow noopener"
    

    2. Open all external links through your own, intermediate page, on which the code should work:

    window.opener = null;
    

    3. Open links in a new tab via js:

    var otherWindow = window.open();
    otherWindow.opener = null;
    otherWindow.location = targetUrl;
    

    4. Catch all clicks on links and at the time of transition create a hidden iframe through which to open the page in a new tab. github.com/danielstjules/blankshield - js plugin which, according to the description, solves the problem (personally did not test).

    PS: Rel = "noopener" does not work in FF - habrahabr.ru/post/282880/#comment_8879594 . Instead, you can use rel = noreferrer.

    PPS: For anyone who considers the article to be original https: //medium.com/@jitbit/target-blank-the-most-under ... - compare the publication date. My article was published on May 3rd. English - 4th.

    Also popular now: