- Issue created by @GeduR
- Merge request !22Issue #3513008: Tabnabbing Vulnerability in External Links → (Merged) created by GeduR
Automatically closed - issue fixed for 2 weeks with no activity.
The website currently uses window.open(d.url, '_blank'); to open external links in a new tab. This implementation introduces a tabnabbing vulnerability, where the newly opened tab can manipulate the parent window using window.opener, potentially redirecting users to phishing sites.
Vulnerability Type: Tabnabbing (exploitation of window.opener)
Impact: A malicious external site could hijack the parent tab and redirect users to a phishing page.
This could lead to credential theft, session hijacking, or other social engineering attacks.
Affected Code:
javascript
if (d.url) {
window.open(d.url, '_blank');
}
To mitigate tabnabbing, update the code to prevent access to window.opener.
if (d.url) {
window.open(d.url, '_blank', 'noopener');
}
- https://developer.mozilla.org/en-US/docs/Web/API/Window/open
- https://stackoverflow.com/a/46958731
Active
1.0
Code
Automatically closed - issue fixed for 2 weeks with no activity.