Javascript Reverse Tabnabbing Window Open

Description

Detects potential reverse tabnabbing vulnerabilities in JavaScript code where window.open() is used without proper security attributes. Reverse tabnabbing allows an opened page to manipulate its opener window, which could enable phishing attacks where the parent page is redirected to a malicious site.

Weakness:

097 - Reverse tabnabbing

Category: Deceptive Interactions

Detection Strategy

• Identifies calls to window.open() in JavaScript code

• Reports a vulnerability if window.open() is used without setting noopener/noreferrer attributes or if opener access is not explicitly disabled

• Examines all instances where new windows or tabs are opened through window.open() API calls

• Considers the context of how the opened window is configured for potential opener manipulation risks

Vulnerable code example

// External URL that could be malicious
const externalURL = "https://external-site.com";

function unsafeWindowOpening() {
    // Vulnerable: Opens external URL without noopener protection
    window.open("https://external-site.com", "_blank");
    
    // Vulnerable: Uses variable URL without security parameters...

✅ Secure code example

// External URL that could be malicious
const externalURL = "https://external-site.com";

function safeWindowOpening() {
    // Safe: Uses both noopener and noreferrer to prevent opener exploitation
    window.open("https://external-site.com", "_blank", "noopener,noreferrer");
    
    // Safe: Variable URL with required security attributes...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.