Medium severity

Unsafe Links (Reverse Tabnabbing)

Links that open in a new tab (`target="_blank"`) without `rel="noopener"` or `rel="noreferrer"` are vulnerable.

Business risk

Reverse Tabnabbing: The newly opened page gets access to the `window.opener` object of your page. A malicious external site can use `window.opener.location = "fake-login.com"` to redirect YOUR user to a phishing page in the detailed background tab. The user finishes reading, closes the tab, sees the "login" screen on your tab, and gets phished.

Technical details

Modern browsers (Chrome 88+) implicitly treat `target="_blank"` as `rel="noopener"`, but relying on browser defaults is risky. Always explicitly add `rel="noopener"` to external links. Frameworks like Next.js `next/link` handle this automatically, but raw `<a>` tags do not.

How to detect it

Find every `target="_blank"` anchor missing `rel="noopener"`. Grep over source, or use an ESLint rule that flags this at build time. Scanners can also crawl the rendered DOM and report offenders.

Grep source for target=_blank without rel

grep -nrE "target=[\"\x27]_blank[\"\x27]" ./src | grep -v "rel=" | head -50

Enable the ESLint rule

npm install -D eslint-plugin-react && // .eslintrc: "react/jsx-no-target-blank": "error"

Common pitfalls

Assuming the browser default is enough. Chrome 88+, Firefox 79+, and Safari 12.1+ treat `target="_blank"` as implicit `noopener`. Legacy browsers, embedded WebViews, and Electron shells do not. Always set `rel` explicitly.
Forgetting `window.open()` calls. Code that opens new windows programmatically must pass `noopener,noreferrer` in the third argument, or explicitly set `openedWindow.opener = null`.
Setting only `noreferrer` without `noopener`. `noreferrer` implies `noopener` in modern browsers but not everywhere - include both for portability.
Stripping `rel` during HTML sanitization. Check your sanitizer allowlist - DOMPurify and sanitize-html both preserve `rel` by default, but custom filters sometimes drop it.
Leaving dangerous anchors in rich-text user content. Comment systems and CMS editors should auto-inject `rel="noopener noreferrer"` on external links.

Remediation guide

<a href="https://example.com" target="_blank" rel="noopener noreferrer">
  External Link
</a>

html

External references

OWASP: Reverse Tabnabbing

Frequently asked questions

Do I need both noopener and noreferrer?

`noopener` is the security fix (blocks `window.opener` access). `noreferrer` additionally strips the Referer header. For security, `noopener` alone is enough; for privacy, add `noreferrer`. Most teams set both.

Is this still necessary in modern Chrome?

Yes, for defense in depth. Chrome's default is good for consumer browsers but there are still surfaces - Electron apps, older mobile WebViews, and embedded browsers - where the old behaviour applies. Explicit `rel` is three characters and removes the question entirely.

My framework handles this for me - do I still need to audit?

Next.js `<Link>`, React Router `<Link>`, and most component libraries inject `rel="noopener noreferrer"` automatically. Raw `<a target="_blank">` tags, `dangerouslySetInnerHTML` output, and CMS-rendered markdown still need the audit.

Keep going

Related guide

Missing Content Security Policy (CSP)

High severity · Content

Related guide

Weak Referrer Policy

Low severity · Privacy

Related guide

Missing X-Frame-Options

Medium severity · Content

Verify your fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.

Business risk

How to detect it

Find every `target="_blank"` anchor missing `rel="noopener"`. Grep over source, or use an ESLint rule that flags this at build time. Scanners can also crawl the rendered DOM and report offenders.

Grep source for target=_blank without rel

grep -nrE "target=[\"\x27]_blank[\"\x27]" ./src | grep -v "rel=" | head -50

Enable the ESLint rule

npm install -D eslint-plugin-react && // .eslintrc: "react/jsx-no-target-blank": "error"

Common pitfalls

Assuming the browser default is enough. Chrome 88+, Firefox 79+, and Safari 12.1+ treat `target="_blank"` as implicit `noopener`. Legacy browsers, embedded WebViews, and Electron shells do not. Always set `rel` explicitly.

Forgetting `window.open()` calls. Code that opens new windows programmatically must pass `noopener,noreferrer` in the third argument, or explicitly set `openedWindow.opener = null`.

Setting only `noreferrer` without `noopener`. `noreferrer` implies `noopener` in modern browsers but not everywhere - include both for portability.

Stripping `rel` during HTML sanitization. Check your sanitizer allowlist - DOMPurify and sanitize-html both preserve `rel` by default, but custom filters sometimes drop it.

Leaving dangerous anchors in rich-text user content. Comment systems and CMS editors should auto-inject `rel="noopener noreferrer"` on external links.

Frequently asked questions

Do I need both noopener and noreferrer?

Is this still necessary in modern Chrome?

My framework handles this for me - do I still need to audit?