Skip to content

Security: Global _blank link rewriting without noopener allows reverse tabnabbing#588

Open
tuanaiseo wants to merge 1 commit intoXIU2:masterfrom
tuanaiseo:contribai/fix/security/global-blank-link-rewriting-without-noop
Open

Security: Global _blank link rewriting without noopener allows reverse tabnabbing#588
tuanaiseo wants to merge 1 commit intoXIU2:masterfrom
tuanaiseo:contribai/fix/security/global-blank-link-rewriting-without-noop

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 7, 2026

Problem

The script forces all links to open in a new tab by injecting <base target="_blank">, but does not enforce rel="noopener noreferrer" on those links. Opened pages can access window.opener and potentially navigate the original tab to a phishing page (reverse tabnabbing).

Severity: medium
File: TargetBlank.user.js

Solution

Avoid global <base target="_blank"> for untrusted destinations, or explicitly set rel="noopener noreferrer" on every external link opened in a new tab. Prefer per-link handling with strict URL checks.

Changes

  • TargetBlank.user.js (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

@tuanaiseo
fix(security): global _blank link rewriting without noopener
618db01 
The script forces all links to open in a new tab by injecting `<base target="_blank">`, but does not enforce `rel="noopener noreferrer"` on those links. Opened pages can access `window.opener` and potentially navigate the original tab to a phishing page (reverse tabnabbing).

Affected files: TargetBlank.user.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo