But when the newly opened pages are pointing to a site that we don't know we are opened to a phishing vulnerability. The new page gains some partial access to the linking page with the
For example, it can use the
window.opener.location to point the user of the initial page to a fake phishing site that mimics the looks of the original and do all kinds of nasty stuff. This can be very efficient given that the user trusts the page that is already opened.
In order to prevent this we can:
- in HTML use the
<a href="someLink.com" target="_blank" rel="noopener noreferrer"> open securely in a new tab </a>
const newWindow = window.open("someLink.com"); newWindow.opener = null;
later edit: it seems that
noreferreris now redundant, so
noopener should be enough for the HTML use.