The security risk that is the humble link in your webpages

tl;dr: When adding the target attribute to an a element which takes you to a property you do not own, you must add rel="noopener noreferrer".

Info

When you open a link using target, for example in a new tab (target="_blank"), the browser may—though not universally—set the window.opener of the new tab to be the original window. This means that the new tab can access some information from the original window or tab.

If it is on the same domain, this is particularly risky, as it includes cookies and content. If it is on a different domain, the same-origin policy protects most information, though some details may still be exposed.

Attack Vectors

These attack vectors are targeted and do not represent a major risk, but the cost of mitigation is low. Here’s why I recommend taking precautions.

Same Domain

It’s not uncommon for a single domain to host pieces built by multiple teams, especially as web components gain traction. A vulnerability in one team’s code can now impact the entire domain.

For example:

If the login page links to products.html with target="_blank", malicious JavaScript in the products page could manipulate the login page—silently stealing credentials or injecting unwanted behavior.

This is also a strong case for using sub-resource integrity, especially when loading JS, CSS, or other assets via CDN.

Additionally, document.domain can grant elevated access to superdomains—but note that cookies remain protected post-changes.

Different Domain

While data is more locked down here, two attack vectors still exist:

Location Changes

The parent window/tab’s location can be altered. An attacker could:

Example: You click a link from your bank’s site to a third party. If that third-party page (either intentionally or via a compromised CDN) detects the referring bank’s URL, it could silently redirect you to a fake login page. You return to the tab, unaware it’s now malicious, and unknowingly compromise your credentials.

postMessage

The postMessage API allows cross-domain communication. If the parent page uses it and contains vulnerabilities, a new tab could exploit them to gain unintended privileges.

Solution

Add rel="noopener noreferrer" to links with target="_blank" to prevent window.opener from being set unless you explicitly trust the destination property.

<a href="..." target="_blank" rel="noopener noreferrer">Safe link</a>