A security flaw in new tabs I recently discovered that making a link open a new tab by adding a target=”_blank” attribute actually creates the new tab in the same thread and browsing contexts as the previous tab. This creates a few issues. First of all, there’s a potential performance issue, thanks to the fact […]
I recently discovered that making a link open a new tab by adding a target=”_blank” attribute actually creates the new tab in the same thread and browsing contexts as the previous tab.
This creates a few issues.
First of all, there’s a potential performance issue, thanks to the fact that they share the same thread. But more worrying is the fact that a new tab can redirect an old tab without the user knowing. This can be exploited to redirect your old tab to a seemingly identical one but on another server and could be used as a very effective phishing method.
Let’s say you were on a banking site and clicked a link to open a new tab. You browse the new tab for a while, then click back to your previous tab — but you’ve been logged out. When you log back in, you’re sending your online banking details straight to the phishers.
This happens because, by default, a web page can actually access the opener page through the window.opener attribute, and modify its location attribute, even if the two web pages are from different domains.
The solution is to use the rel=”noopener” attribute. However, this does not work on all browsers. Although this flaw was first found a few years ago, IE, Edge, IE Mobile, Blackberry Browser and Opera Mini still don’t support rel=”noopener” at the time of writing this article.
There is another rel attribute value that could help a bit — rel=”noreferrer”. This will hide the referrer header from the new site so that it’s more difficult to know where you came from. This makes it more difficult for the new site to redirect your old tab to a similar looking phishing page as they won’t know what your previous page was.
It by no means makes it impossible though, so it’s not a real fix.
For now, I’ll continue looking into fixes for browsers that do not support rel=”noopener”. It might be that those browsers will support the fix soon. After all, Firefox only supported it from version 61 which was released in June 2018.
In the meantime, it’s probably a good idea to not fill in any log-in forms that you aren’t sure about. In fact, that’s good advice in general. If in doubt, shut the tab and navigate back to a legitimate site.
Subscribe to get our best content. No spam, ever. Unsubscribe at any time.