You should know about the _blank vulnerability

Mon 25 Feb 2019
Tue 26 Feb 2019

I've been front-ending over the weekend. The same friend that got me started on improving my styling also saw that I was using links with _blank.

He told me that there is a serious security vulnerability around using links with the blank option. To resolve the issue you simply add rel="noreferrer noopener" to all outgoing _blank links.

Curious to the why and how I started reading upon this article. He also has an example that shows why blank links could pose a potential threat to all users of your website.

Why does this happen?

Apparently, you get a reference of the original window when you open a new window with a _blank link. Another good example of this exploit would be the w3school's example of the opener object within javascript.

I was not aware of this. To put this in perspective, every link on the whole web will operate this way. It's vendor implemented and as of today, every vendor will happily support this.

Then I read this CSS Tricks article. I was trying to find valid reasons to actually use the blank option but also valid reasons from a developer standpoint why the opener object even gets passed in the first place.

After I read that article I found my reasons to use _blank invalid. I agree with the article in the sense that we, developers should not try and deviate from the default behavior browsers provide to their users. As an added bonus we don't even have to think about this security issue.

This feature has existence because of history. There used to be websites that opened popups and used the window context to relay information to the parent. It's old and to my opinion and should not exist anymore.

Yet, I have the feeling that this will still stay for a while. Thus, you need to make a choice. Add the options noreferrer noopener or simply don't deviate from standard behavior. All I'm saying is think about this for a few minutes and make a thoughtful decision on whether you need this feature on your links.

I make a case for not deviating from standards. Everything we add a developer needs to be supported at one point, including this with all risks attached.

Where does this exploit even get used for?

Phishing mainly. You make a link to an external source. The external source hijacks your original window. Redirecting the user to an visually identical page that suddenly prompts the user to log in because their session has expired.

User logs in and their credentials are now known to the exploiter.

My own conclusion

Do I need the _blank option? No. Did I think it was the right thing to do for a long time? Yes. I was happy I found the information out there to improve my knowledge about these vulnerabilities. Here is me paying it forward.

Bug tickets filed at browser vendors

Good to see that the community responds pretty quick to this sort of thing. They make it able for us developers to choose what we want to implement.