Skip to content

Security: Global _blank link rewriting without noopener allows reverse tabnabbing#588

Open
tuanaiseo wants to merge 1 commit into
XIU2:masterfrom
tuanaiseo:contribai/fix/security/global-blank-link-rewriting-without-noop
Open

Security: Global _blank link rewriting without noopener allows reverse tabnabbing#588
tuanaiseo wants to merge 1 commit into
XIU2:masterfrom
tuanaiseo:contribai/fix/security/global-blank-link-rewriting-without-noop

Conversation

@tuanaiseo

Copy link
Copy Markdown

Problem

The script forces all links to open in a new tab by injecting <base target="_blank">, but does not enforce rel="noopener noreferrer" on those links. Opened pages can access window.opener and potentially navigate the original tab to a phishing page (reverse tabnabbing).

Severity: medium
File: TargetBlank.user.js

Solution

Avoid global <base target="_blank"> for untrusted destinations, or explicitly set rel="noopener noreferrer" on every external link opened in a new tab. Prefer per-link handling with strict URL checks.

Changes

  • TargetBlank.user.js (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced
The script forces all links to open in a new tab by injecting `<base target="_blank">`, but does not enforce `rel="noopener noreferrer"` on those links. Opened pages can access `window.opener` and potentially navigate the original tab to a phishing page (reverse tabnabbing).

Affected files: TargetBlank.user.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant