This exploit is over a year old, but I just now came across it. Messing around with a security plugin for WordPress last week, there was a setting about combatting an exploit with target=”_blank” — something most developers use time and time again to open links to external sites in a new tab or window.
Turns out that hackers have found a way to exploit that as the target=”_blank” has partial access to the linking page via the
Luckily it’s real easy to combat, adding
rel="noopener noreferrer" to each external link.
Source: JitBit – Target=”_blank” – the most underestimated vulnerability ever