Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Nicholas Suddarth
10,081 PointsTarget="_blank" Tabnabbing Vulnerability
I have read a few articles online about the target="_blank" phishing vulnerability. I was wondering if someone at Treehouse would like to better explain. The Articles seemed to be vague and not to the point.
They mentioned having to add rel='noopener noreferrer' to your anchor tags that use target="_blank"
Further enlightenment would be appreciated.
1 Answer
Chad Kozicki
16,294 PointsI feel like this is a great article to explain it with fixes: https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
The idea is whenever you open a page with target="blank" it gains limited access to the page that it was opened from through javascript via "window.opener" and a few other javascript methods. This doesn't matter much if the new tab opened is your own page and is very useful in some applications, however in a site like Facebook which people can post links to other sites, opening them using target="blank" then those sites can use that bit of javascript to change the page you originally opened the tab from to a phishing page that looks like a Facebook sign-in page, stealing peoples login information in the process.