We Were Vulnerable

Opening a link in a new tab can allow an attacker to take control of the previous tab?

Did you know: specifying target="_blank" in an anchor tag (<a></a>) creates a gnarly vulnerability? A recent code review found that we were susceptible to this issue. We've since remediated the vulnerability on our site, and would like to raise awareness of it for our customers.

This vulnerability, which affects all major browsers, allows the newly opened page full read/write access to the parent page's window.location object.

For example, if doppler.com contains the html <a target="_blank" href="https://example.com">Click me!</a>, then clicking the link will open example.com in a new tab. This is expected. What's unexpected is that any JavaScript running on example.com now has full access to modify the location of the still-open doppler.com tab. This would allow example.com to redirect the Doppler tab to evil.com, or the (theoretical) sophisticated phishing site d0ppler.com.

If this all sounds theoretical, check out this excellent demo of the vulnerability. Fortunately, the fix is as simple as adding rel="noopener" to the anchor tag.

Vulnerable link:

<a target="_blank" href="https://example.com">Click me!</a>

Non-vulnerable link:

<a target="_blank" rel="noopener" href="https://example.com">Click me!</a>

Security is a constant focus at Doppler, and we will continue to do everything we can to earn, and keep, your trust.

More Articles

How to Set Environment Variables in Linux and Mac: The Missing Manual
Most articles only cover the basics so we've attempted to create the "missing manual" for using environment variables in Linux and Mac.
Press Release
Y Combinator company lands $2.3 Million in seed funding led by Sequoia Capital.
When Being Scrappy Backfires
When it pays dividends to do it right the first time.