When a web page opens a link in a new window, the opened page may access the originating page through the window.opener property.

Why is this an issue?

When a page opens a new window or tab using window.open() or <a target="_blank">, the opened page can access the originating page through the window.opener object. If the originating page links to untrusted external content, the opened page can exploit this access to redirect the originating tab to a different URL, a technique known as reverse tabnabbing. This rule raises an issue when a window or tab is opened without disabling opener access using the noopener option or attribute.

What is the potential impact?

Phishing

An attacker can host a malicious page that, when opened from a trusted site, uses window.opener to redirect the originating tab to a fake login page. Users who switch back to the original tab may not notice they have been redirected and may enter their credentials on the phishing site.

How to fix it

Code examples

The following code is vulnerable because the opened page can access the originating window through window.opener.

Noncompliant code example

window.open("https://example.com/dangerous"); // Noncompliant

Compliant solution

window.open("https://example.com/dangerous", "WindowName", "noopener");

Resources

Articles & blog posts

• OWASP - Reverse Tabnabbing
• mathiasbynens.github.io - About rel=noopener

Standards

• CWE - CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access
• OWASP - Top 10 2021 Category A5 - Security Misconfiguration
• OWASP - Top 10 2017 Category A6 - Security Misconfiguration