The target="_blank" attribute in HTML, used from Facebook to Google, is susceptible to a massive phishing vulnerability.

The Vulnerability

When using this attribute, developers or hackers can gain access to the new page in the window.opener object. This allows malicious users to execute Javascript code, change the window.opener.location, etc. This also works with


Say I have a link on my Facebook page pointing back to my website.

<a href="#" target='_blank'></a>

All I’d need to do at this point is execute a bit of Javascript code and phish away.

if (window.opener) {
  window.opener.location = "";

This essentially gives me control over aspects of the referring page, in this case, the referring page was none other than Facebook.

The Fix

rel='noopener' for Chrome, Safari, Opera, IE.

rel='noopener noreferrer' for Firefox.

Other Issues

This actually can lead to more than just phishing attacks, not to say that changing the url of your banking site without you knowing in order to gain access to your login credentials isn’t bad!

Since I now have access to the window.opener object, I have partial access to what was on the referring page - allowing me to gather more information about the user who clicked through to the link, and perhaps steal some valuable information from you if I’m good enough!

So far, this issue has been spotted on Facebook, Twitter, Instagram, and Google. All of which are heavy targets for phishing and privacy concerns.