The target _blank vulnerability

Most of us have been using target='_blank' in our links. That is a popular but dangerous practice.

The problem

The page linked via target='_blank' has partial access to the linking page. That allows the linked page to open any other site on the linking page that the user came from.

This could be used in a simple phishing attack.


A page that the user trusts has this link:

<a href="" target="_blank">Click here</a>

After clicking this link, the site gets access to window.opener and they could do something like:

window.opener.location = "";

The above code would open the unsafe site in the previous tab/window where the user came from. This is a phishing attack because the user trusts the site.

The problem also presents itself when opening a page with


We can fix this by cutting the backlink (opener object) between the parent and the child pages:

  • Use rel="noopener noreferrer" for HTML links.
<a href="" target="_blank" rel="noopener noreferrer">Click here</a>
  • For pages opened with, cut the link by setting opener to null.
let blogPage ="");
blogPage.opener = null;

More information here.


Prateek Choudhary
Prateek Choudhary
Senior Software Developer