We Were Vulnerable

Opening a link in a new tab can allow an attacker to take control of the previous tab?

Did you know: specifying target="_blank" in an anchor tag (<a></a>) creates a gnarly vulnerability? A recent code review found that we were susceptible to this issue. We've since remediated the vulnerability on our site, and would like to raise awareness of it for our customers.

This vulnerability, which affects all major browsers, allows the newly opened page full read/write access to the parent page's window.location object.

For example, if doppler.com contains the html <a target="_blank" href="https://example.com">Click me!</a>, then clicking the link will open example.com in a new tab. This is expected. What's unexpected is that any JavaScript running on example.com now has full access to modify the location of the still-open doppler.com tab. This would allow example.com to redirect the Doppler tab to evil.com, or the (theoretical) sophisticated phishing site d0ppler.com.

If this all sounds theoretical, check out this excellent demo of the vulnerability. Fortunately, the fix is as simple as adding rel="noopener" to the anchor tag.

Vulnerable link:

<a target="_blank" href="https://example.com">Click me!</a>

Non-vulnerable link:

<a target="_blank" rel="noopener" href="https://example.com">Click me!</a>

Security is a constant focus at Doppler, and we will continue to do everything we can to earn, and keep, your trust.

Discussions

More Articles

When Being Scrappy Backfires
When it pays dividends to do it right the first time.
Build vs Manual vs Buy
Maximize value while lowering cost by picking the right secrets manager early on.
Focusing Doppler
A lesson learned building a second product too early and for the wrong reasons.