Avoid target='_blank' attribute without rel='noopener noreferrer' JS-0422
Security
Major
react
a05
owasp top 10
cwe-1022
When creating a JSX element with a tag, it is often desired to have the link open in a new tab using the target='_blank' attribute. Using this attribute unaccompanied by rel='noreferrer', however, is a severe security vulnerability.
Using target='_blank' links grants the page we are linking to a partial access to the source page via the window.opener object.
The newly opened tab can then change the window.opener.location to some phishing page. Or execute some JavaScript on the opener page on their behalf.
Since the users trust the page that is already opened, they won't get suspicious and this might result in a security risk.
Bad Practice
// Bad: Example 1
var Hello = <a target='_blank' href="http://example.com/"></a>
// Bad: Example 2
var Hello = <a target='_blank' href={dynamicLink}></a>
Recommended
// Example 1
var Hello = <p target="_blank"></p>
// Example 2
var Hello = <a target="_blank" rel="noreferrer" href="http://example.com"></a>
// Example 3
var Hello = <a target="_blank" rel="noopener noreferrer" href="http://example.com"></a>
// Example 4
var Hello = <a target="_blank" href="relative/path/in/the/host"></a>
// Example 5
var Hello = <a target="_blank" href="/absolute/path/in/the/host"></a>
// Example 6
var Hello = <a></a>