F-2025-0012·configuration

Tabnabbing vulnerability in external links

Acknowledgedtypescriptwidgetrouter-api
TL;DR

External links opened with target='_blank' did not include rel='noopener noreferrer', allowing the opened page to access window.opener and potentially redirect the original tab.

Severity
LOW
Impact
LOW
Likelihood
LOW
Method
MManual review
CAT.
Complexity
LOW
Exploitability
LOW
02Section · Description

Description

External links rendered with target="_blank" did not include rel="noopener noreferrer". The opened page retained a window.opener reference and could redirect the original tab to a phishing destination.

03Section · Recommendation

Recommendation

Add rel="noopener noreferrer" to every target="_blank" anchor in the widget. Enforce this via a wrapper component to prevent regressions.

Initia: Acknowledged. Pashov Audit Group: Acknowledged.

ZEALYNX SECURITY · published 2025-06-23
F-2025-0012