Sounds like a Google Chrome issue …
Anyway, it seems iThemes even got the name wrong. This type of attack is officially named tabnabbing, not tabnapping.
To prevent any confusion, I’m not iThemes.
Hi nlpro,
tabnabbing – good to know correct terminology, thanks!
Yes I think you are right and it is a Chrome issue, but iThemes will probably have to work around that because I doubt Google give a hoot about real world problems – unless they can squeeze money out of it they ain’t interested.
Phew – I’m not the only one. This only happens since updating to the latest version of Chrome but I agree, the iThemes team needs to work around it or remove the feature.
We’ve had a lot of missed conversions because users didn’t notice Chrome showing the pop-up blocked message (it’s barely noticeable for many) and so they couldn’t get the the external booking form (conversion point).
I consider this a serious issue regardless of who is to blame.
-
This reply was modified 5 years, 7 months ago by Michael Ott.
@websanity
iThemes simply included an external javascript library (named blankshield) with the tabnabbing feature.
The library file includes the following header:
/**
* blankshield - Prevent reverse tabnabbing phishing attacks caused by _blank
*
* @version 0.6.0
* @link https://github.com/danielstjules/blankshield
* @author Daniel St. Jules <danielst.jules@gmail.com>
* @license MIT
*/
Perhaps the author of the library will be able to fix the issue.
And then iThemes could include the fixed library file.
If the issue can’t be resolved by fixing the library file and Google is not going to fix the issue in Chrome then iThemes should definately remove the feature from the plugin.
Oh, by the way there is an updated version (0.6.3) of the library file available on github … maybe, just maybe … feel free to test it 😉
Well researched nlpro!
I checked out the changelog for blankshield and 0.6.3 was released 23/8/18. It doesn’t mention anything about fixes and there are two comments from the last few days with people reporting the problem that we are all seeing, so I don’t think the latest version works either.
https://github.com/danielstjules/blankshield/issues/15
I added my own comment and hope the author will be able to fix it or say that it is not fixable. One commentor puts it down possibly to this:
https://www.chromestatus.com/feature/5989473649164288
Doesn’t look hopefully.
@websanity @timothyblynjacobs
Don’t worry, looks like there is some movement at iThemes in regards to this issue.
The lead developer of the iTSec plugin (Timothy Jacobs) just added the comment below:
We’re pushing a fix to add the noopener
rel
to links instead of using blankshield for browsers that support the noopener
property.
Sounds to me like the blankshield library is about to be thrown out the window 😉
iThemes: Good people!
blankshield was our friend but now we’ve broken up it’s time to move on 🙂
@websanity
Not so fast … Turns out iThemes had the fix already pushed out on Feb 19th for the iTSec Pro (5.9.0) plugin.
Just had a look at it and it seems iThemes added some custom javascript. Based on browser, browser version and support for the noopener property either rel=“noopener” is added to all target=“_blank” anchor elements in the page (like in Google Chrome v72) or target=“_blank” anchor links are protected by the blankshield script.
So it seems the blankshield script is here to stay …
Additionally below the entry from the Pro 5.9.0 changelog:
Bug Fix: Tabnapping: Apply noopener to links instead of using blankshield script when available to prevent new pop-up blocker behavior from killing the links.
-
This reply was modified 5 years, 7 months ago by nlpro. Reason: Added changelog entry
Fixed in 7.3.1, though the blankshield script has not been updated and the WordPress Tweaks feature is still using incorrect terminology (tabnapping) …
Well credit to them for sorting that out.
Thanks for pointing that out nlpro.
I’ve tested rolling backwards and updating and confirm that
7.3.0 has the problem but in 7.3.1 it is fixed.
I’ll mark this as resolved.
Bye folks!