This exploit is over a year old, but I just now came across it. Messing around with a security plugin for WordPress last week, there was a setting about combatting an exploit with target=”_blank” — something most developers use time and time again to open links to external sites in a new tab or window.
Turns out that hackers have found a way to exploit that as the target=”_blank” has partial access to the linking page via the window.opener
object.
Luckily it’s real easy to combat, adding rel="noopener noreferrer"
to each external link.
Source: JitBit – Target=”_blank” – the most underestimated vulnerability ever