In a phishing attack the attacker will try to steal user data, e.g. login credentials. Reverse tabnabbing is a phishing method, and here we will try to explain what it is and how it can be prevented.
2 min read
By Robert Larsen
December 12, 2019
Websites often refer to pages on other websites. Such links are some times opened in a new tab. If we add the
target="_blank" to an
A linked page opened with
target="_blank" or by
window.opener-property as the linking page. Thus, the linked page can set the property
window.opener.location to anything it wants. That opens a set of possibilities, and we can imagine the following attack scenario:
window.opener.location = <url to fake login page>.
There are two quite easy fixes to prevent this kind of attack.
rel="noopener noreferrer"to every
a-element that has
target set to
noopener ensures that the linked page does not have access to
window.opener from the linking page.
noreferrer make sure that the request referrer header is not being sent. Thus, the destination site will not see the URL the user came from. According to caniuse.com, the support for noreferrer and noopener is good in recent versions of major browsers. Be aware that Internet Explorer is the usual exception.
var myNewWindow = window.open(url, name, 'noopener,noreferrer')\
myNewWindow.opener = null
If you are showing user-generated content on your page you must sanitize the input and apply "noopener noreferrer" to every link.
We hope that you have this in mind when you develop your websites. Please refer to the links below if you want to know more.