Unsafe Links (Reverse Tabnabbing)

Links that open in a new tab (`target="_blank"`) without `rel="noopener"` or `rel="noreferrer"` are vulnerable.

Business Risk

Reverse Tabnabbing: The newly opened page gets access to the `window.opener` object of your page. A malicious external site can use `window.opener.location = "fake-login.com"` to redirect YOUR user to a phishing page in the detailed background tab. The user finishes reading, closes the tab, sees the "login" screen on your tab, and gets phished.

Technical Details

Modern browsers (Chrome 88+) implicitly treat `target="_blank"` as `rel="noopener"`, but relying on browser defaults is risky. Always explicitly add `rel="noopener"` to external links. Frameworks like Next.js `next/link` handle this automatically, but raw `<a>` tags do not.

Remediation Guide

<a href="https://example.com" target="_blank" rel="noopener noreferrer">
  External Link
</a>

html

External References

↗ OWASP: Reverse Tabnabbing

Verify Your Fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.