A newly opened window having access back to the originating window could allow basic phishing attacks (the window.opener object is not null and thus window.opener.location can be set to a malicious website by the opened page).

For instance, an attacker can put a link (say: "http://example.com/mylink") on a popular website that changes, when opened, the original page to "http://example.com/fake_login". On "http://example.com/fake_login" there is a fake login page which could trick real users to enter their credentials.

Ask Yourself Whether

• The application opens untrusted external URL.

There is a risk if you answered yes to this question.

Recommended Secure Coding Practices

Use noopener to prevent untrusted pages from abusing window.opener.

Note: In Chrome 88+, Firefox 79+ or Safari 12.1+ target=_blank on anchors implies rel=noopener which make the protection enabled by default.

Sensitive Code Example

window.open("https://example.com/dangerous");

Compliant Solution

window.open("https://example.com/dangerous", "WindowName", "noopener");

See

• OWASP Top 10 2021 Category A5 - Security Misconfiguration
• Reverse Tabnabbing
• MITRE, CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access
• OWASP Top 10 2017 Category A6 - Security Misconfiguration
• https://mathiasbynens.github.io/rel-noopener/