Skip to content

missing-reverse-tabnabbing-protection

Ensure secure link target

When a link is created with target="_blank" to open it in a new window, then rel="noopener noreferrer" should be set as well to prevent reverse tabnabbing in older browsers. Reverse tabnabbing occurs when a link opened in a new tab or window has a reference to the original application using the window.opener DOM property. A malicious page can use this to open a phishing page in the original tab without the victim noticing.

Examples

Insecure Example

var Test1 = <a target='_blank' href="http://example.com/"></a>

Secure Example

var OkTest3 = <a target="_blank" rel="noopener noreferrer" href="http://example.com"></a>