Eric Tompkins
May 1, 2017

How BranchCMS Helps Protect Your Website Against the target=_blank Link Vulnerability

If you add a link to your website and you set that link to open in a new tab/window then you are opening your website up to attacks from malicious websites. This attack is known as the target=_blank vulnerability or tabnabbing. The attack is to switch a tab in your browser with a malicious website, where you could be asked to enter your login information again. Often these malicious pages are disguised as a login page to a popular website or bank.

The vulnerability happens when you set a link to open in a new tab/window. 

When you add a link to a website by default the HTML looks something like this:

<a href="">Link to website</a>

If you set the link to open in a new window then the HTML looks like this:

<a href="" target="_blank">Link to website</a>

The target="_blank" attribute tells the browser to open the link in a new window or tab. The issue is that now the website that has been opened in the new window or tab can access parts of the original website.

Note, if you Ctrl/Cmd+click or right click on a link to open it in a new tab then you are not exposed to this vulnerability. It only applies to links that have a target attribute value like target="_blank".

The protection

Thankfully there is a fairly simple solution to protect your website and users against this vulnerability. It's as simple as adding rel="noopener noreferrer" to the link tag HTML.

BranchCMS helps out by automatically adding this for you. Whenever you add new links within the rich text editor and set the link to open in a new tab/window then rel="noopener noreferrer" is automatically added to the link. Existing links on pages won't be updated, but any new links will be affected.

If you set a navigation link to open in a new tab/window then rel="noopener noreferrer" is added to that link. Also, any content passed through the text2html Twig filter will also have rel="noopener noreferrer" added to any links that open in a new tab/window.

The exception is any links to other content within your website. Because noreferrer can affect analytics, no links within your website will have rel="noopener noreferrer" added to them.

About the solution

The simplest solution is to avoid opening links in a new tab. There are very few reasons to open links in a new tab/window and doing so can compromise user security, affect accessibility and break user's expectations.

However, opening a link in a new tab is common and it's understandable that someone would want to do this.

The solution is to add rel="noopener" to the link tag. From the specs:

"The keyword indicates that any newly created browsing context which results from following the hyperlink will have disowned its opener, which means that its window.opener property will be null."

Unfortunately, the browser support of rel=noopener is still too limited to consider it a complete solution to the security problem. You should also include "noreferrer" rel attribute value as that disables the Referrer HTTP header, which also means that the Javascript window.opener property will be null.

Does this affect my SEO?

The short answer is no.

Neither noreferrer or noopener have an effect on a link's SEO or affects the SEO of the website that is being linked to. However, this is sometimes confused with rel="nofollow", which does affect SEO.

noopener: Tells the browser to not associate the opening browser tab with the new tab that opened. This sets the Javascript window.opener property to be null.

noreferrer: Tells the browser to not send the referrer information to the new tab that is opened from the link. This has no effect on SEO, but it can affect analytics.

nofollow: Indicates that the link is not endorsed by the original website. It essentially tells the search engine that the link should not influence the ranking of the linked website in the search engine's index.

As you can see, only nofollow has any effect on SEO.

What if I don't want this?

If you don't want the tabnabbing vulnerability protection then you can turn it off. 

First, go to the Editor Settings under Settings -> Rich Text Editor and set the Add rel="noopener noreferrer" to links that open in a new tab/window (i.e. target="_blank") field to "No".

Then, go to the Security Settings under Settings -> Security and set the Add rel="noopener noreferrer" to links that open in a new tab/window (i.e. target="_blank") field there to "No".


Below are some links to other websites that talk about this vulnerability more and the solutions for it.

Sign up for our newsletter to receive invaluable information about BranchCMS, web design & development.