Target Blank Links - Pink Sock Test

This test page demonstrates a security vulnerability where links with target="_blank" don't include rel="noopener noreferrer", which can allow the linked page to access the opener window through the window.opener object.

Security Issue: Links with target="_blank" but without rel="noopener noreferrer" can expose your site to performance and security issues as the opened page can access the opener window.

Test Case

Vulnerable code:

<a href="https://example.com" target="_blank">Visit Example Site</a>

Visit Example Site (Vulnerable Link)

Visit Example Site (Secure Link with noopener)

Explanation

When you create a link with target="_blank", the new page gains access to the original page through the window.opener object. This creates two potential issues:

Security Vulnerability: The opened page can potentially redirect the opener page to a phishing site using window.opener.location = maliciousUrl
Performance Issue: The opened page runs in the same process as the opener page, which can slow down the original page if the new one is resource-intensive

This is especially concerning for links to third-party or untrusted websites that might be malicious.

How Pink Sock detects this issue:

Pink Sock scans for all <a> elements with target="_blank" and checks if they include the rel="noopener" or rel="noreferrer" attributes, especially for cross-origin links.

How to fix:

Always add rel="noopener noreferrer" to links that open in a new tab or window:

<a href="https://example.com" target="_blank" rel="noopener noreferrer">Visit Example Site</a>

This prevents the opened page from accessing the window.opener object and redirecting the original page.

Additional Information

Attribute Explanation

noopener: Prevents the new page from being able to access the window.opener property and ensures it runs in a separate process
noreferrer: Prevents the Referer header from being sent to the new page and also implies noopener

Browser Compatibility

In most modern browsers, target="_blank" automatically implies rel="noopener", but this behavior is not universal across all browsers and versions. Therefore, it's still best practice to explicitly include rel="noopener" or rel="noreferrer" for maximum compatibility and security.

Demonstration

You can test this vulnerability with the following code in the linked page:

if (window.opener) {
  console.log("I can access the opener window!");
  // Potentially harmful: window.opener.location = "https://malicious-site.example";
} else {
  console.log("The opener window is protected.");
}