The security risk that is the humble link in your webpages
tl;dr: When adding the target attribute to an a element which takes you to a property you do not own, you must add rel="noopener noreferrer".
Info
When you open a link using target, for example in a new tab (target="_blank"), the browser may—though not universally—set the window.opener of the new tab to be the original window. This means that the new tab can access some information from the original window or tab.
If it is on the same domain, this is particularly risky, as it includes cookies and content. If it is on a different domain, the same-origin policy protects most information, though some details may still be exposed.
Attack Vectors
These attack vectors are targeted and do not represent a major risk, but the cost of mitigation is low. Here’s why I recommend taking precautions.
Same Domain
It’s not uncommon for a single domain to host pieces built by multiple teams, especially as web components gain traction. A vulnerability in one team’s code can now impact the entire domain.
For example:
https://badsite.com/login.htmlis built by teamA and handles authentication.https://badsite.com/products.htmlis built by teamB and lists products publicly.
If the login page links to products.html with target="_blank", malicious JavaScript in the products page could manipulate the login page—silently stealing credentials or injecting unwanted behavior.
This is also a strong case for using sub-resource integrity, especially when loading JS, CSS, or other assets via CDN.
Additionally, document.domain can grant elevated access to superdomains—but note that cookies remain protected post-changes.
Different Domain
While data is more locked down here, two attack vectors still exist:
Location Changes
The parent window/tab’s location can be altered. An attacker could:
- Redirect the original tab to a vulnerable page.
- In a phishing attack, make it appear identical to a trusted site (e.g., a bank).
Example: You click a link from your bank’s site to a third party. If that third-party page (either intentionally or via a compromised CDN) detects the referring bank’s URL, it could silently redirect you to a fake login page. You return to the tab, unaware it’s now malicious, and unknowingly compromise your credentials.
postMessage
The postMessage API allows cross-domain communication. If the parent page uses it and contains vulnerabilities, a new tab could exploit them to gain unintended privileges.
Solution
Add rel="noopener noreferrer" to links with target="_blank" to prevent window.opener from being set unless you explicitly trust the destination property.
<a href="..." target="_blank" rel="noopener noreferrer">Safe link</a>