Fix needed to prevent reverse tabnabbing.
-
I’ve mentioned this before, but seems it’s still not resolved. Monthly we receive Qualys Reports from the Cybersecurity and Infrastructure Security Agency (CISA) which is a part of the Department of Homeland Security. On the links you have target=”blank” (i.e. GoogleCal, Directions Google Maps, anything that contains _blank) you should really add either rel=”noreferrer”, rel=”noopener” or rel=”noopener noreferrer” to help prevent reverse tabnabbing. Reverse Tabnabbing is an attack where the target page is replaced by a phishing site. Attackers can use JavaScript’s window.opener and inject a malicious domain in the url. When the user clicks on the html link, they can get redirected to a phishing or unintentional website. It’s already the default for WordPress and should be a relatively easy fix to bring it up to standard. Thanks!
You must be logged in to reply to this topic.