Missing Tabnabbing Protection

This rule identifies HTML anchor (<a>) elements that use target="_blank" to open links in a new tab or window without the rel="noopener noreferrer" attribute. This configuration creates a security vulnerability known as "reverse tabnabbing" or "tabnabbing."

When a link opens in a new tab using target="_blank", the newly opened page gains access to the window.opener object, which references the original page. This creates several security risks:

Phishing Redirects: The new page can use window.opener.location to redirect the original page to a malicious site. Users may not notice the original tab has changed, making them vulnerable to credential harvesting.

Information Disclosure: The opened page can access properties and methods of the original window, potentially exposing sensitive data or user interactions.

Cross-Origin Attacks: Even across different origins, the window.opener reference exists, allowing malicious sites to manipulate the referring page.

User Trust Exploitation: Attackers can replace the original page with a fake login screen while the user is distracted in the new tab, exploiting the user’s trust in the original site.

Consider the following code:

Malicious JavaScript on the opened page:

Always add rel="noopener noreferrer" to anchor elements that use target="_blank". This severs the relationship between the original window and the newly opened window.

Corrected Example:

Attribute Breakdown:

Modern Browser Support: While newer browsers (Chrome 88+, Firefox 79+) apply noopener by default for target="_blank", explicitly setting it ensures compatibility and demonstrates security awareness.

This detector has no configurable properties and checks all <a> elements with target="_blank" by default.