
The target=“_blank” vulnerability by example - prawn
https://dev.to/ben/the-targetblank-vulnerability-by-example
======
0xmohit
\- Interesting that this has been posted six times [0] over the past 4 days

\- Earlier discussion [1] on the same topic posted elsewhere

[0]
[https://news.ycombinator.com/from?site=dev.to](https://news.ycombinator.com/from?site=dev.to)

[1]
[https://news.ycombinator.com/item?id=11631292](https://news.ycombinator.com/item?id=11631292)

------
amgin3
Most organizations don't see this as a valid vulnerability. If you read terms
of most bug bounty programs, they almost always specify that window.opener is
out of scope.

------
andy_ppp
Why on earth does target="_blank" expose window.opener to the new page - that
opens up some mad tracking possibilities if you have JS in the opened page
(e.g. Analytics or comments).

Seems the default should be rel="noopener"...

~~~
andy_ppp
I've worked out why this is allowed... if you middle click (open in a new tab)
a pop up that uses a link (but intercepts the event by default) window.opener
will still work in the new tab. The sibling is right, this should be same
domain only.

------
endemic
Wow, I never knew about this API. Seems very ripe for exploitation; check the
referrer for an incoming request and route the other tab to a mirrored version
of the site, on a host you control, preferably with a "you've been logged out
due to inactivity, enter your credentials" modal.

------
endemic
Another demo page, with links to open bugs in various browsers:
[https://mathiasbynens.github.io/rel-
noopener/](https://mathiasbynens.github.io/rel-noopener/) (not all browsers
implement the `rel="noopener"` attribute)

------
helthanatos
I wonder how much work it would take to get real information...

------
Kenji
I followed the three steps below "To clarify" multiple times in different
browsers and (3) did not work at all. I don't see the problem. This article
has left me confused.

EDIT: Oh, seems like Instagram has fixed this after all. If you inspect the
link on his Instagram profile, you will find _rel= "nofollow me noopener
noreferrer"_ and if you remove that attribute, it works just as described in
the blog. I learned something new.

~~~
jldteixeira
Seems to be fixed now. On Instagram the link has rel="nofollow me noopener
noreferrer"

