Bug #78507
closed
Links set to target="_blank" without rel="noopener" are vulnerable to reverse tabnabbing attacks
0%
Description
Vulnerability details
Opened windows through hrefs with target="_blank" can modify window.opener.location and replace the parent webpage with something else, even on different origin (bypassing same origin policy).
The lack of rel="noopener noreferrer" attribute can allow phising attacks to silently change the URL of source tab using window.opener.location.assign and trick the user into entering private information or credentials in the malicious copy as if it was still a trusted page.
External Reference- Target="_blank" - the most underestimated vulnerability ever
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
Suggested fix
Is it possible to add a TypoScript defined condition that would append something like ATagParams = rel="noopener noreferrer" on all hrefs set to target _blank, or class external-link-new-window, through the RTE link wizard?
Or this simple fix in typo3_src-7.6.11/typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php appends rel="noopener noreferrer" to every hrefs that has been set to target _blank.
@@ -1859,6 +1859,7 @@
$a1 = '<a href="' . htmlspecialchars($url) . '"'
. ' onclick="' . htmlspecialchars($onClick) . '"'
. ($target !== '' ? ' target="' . htmlspecialchars($target) . '"' : '')
+ . ($target === '_blank' ? ' rel="noopener noreferrer"' : '')
. $this->getTypoScriptFrontendController()->ATagParams . '>';
$a2 = '</a>';
$this->getTypoScriptFrontendController()->setJS('openPic');
@@ -5629,6 +5630,7 @@
$res = '<a href="' . htmlspecialchars($linkUrl) . '"'
. ($target !== '' ? ' target="' . htmlspecialchars($target) . '"' : '')
+ . ($target === '_blank' ? ' rel="noopener noreferrer"' : '')
. $aTagParams . $this->extLinkATagParams(('http://' . $parts[0]), 'url') . '>';
$wrap = isset($conf['wrap.']) ? $this->stdWrap($conf['wrap'], $conf['wrap.']) : $conf['wrap'];
@@ -6504,6 +6506,7 @@
$this->lastTypoLinkTarget = $target;
$finalTagParts['url'] = $this->lastTypoLinkUrl;
$finalTagParts['targetParams'] = $target ? ' target="' . htmlspecialchars($target) . '"' : '';
+ $finalTagParts['targetParams'] .= $target === '_blank' ? ' rel="noopener noreferrer"' : '';
$finalTagParts['aTagParams'] .= $this->extLinkATagParams($finalTagParts['url'], $linkType);
break;
@@ -6530,6 +6533,7 @@
$this->lastTypoLinkTarget = $target;
$finalTagParts['url'] = $this->lastTypoLinkUrl;
$finalTagParts['targetParams'] = $target ? ' target="' . htmlspecialchars($target) . '"' : '';
+ $finalTagParts['targetParams'] .= $target === '_blank' ? ' rel="noopener noreferrer"' : '';
$finalTagParts['aTagParams'] .= $this->extLinkATagParams($finalTagParts['url'], $linkType);
} else {
$this->getTimeTracker()->setTSlogMessage('typolink(): File "' . $splitLinkParam[0] . '" did not exist, so "' . $linktxt . '" was not linked.', 1);
@@ -6773,6 +6777,7 @@
// Rendering the tag.
$finalTagParts['url'] = $this->lastTypoLinkUrl;
$finalTagParts['targetParams'] = (string)$LD['target'] !== '' ? ' target="' . htmlspecialchars($LD['target']) . '"' : '';
+ $finalTagParts['targetParams'] .= (string)$LD['target'] === '_blank' ? ' rel="noopener noreferrer"' : '';
} else {
$this->getTimeTracker()->setTSlogMessage('typolink(): Page id "' . $linkParameter . '" was not found, so "' . $linktxt . '" was not linked.', 1);
return $linktxt;
Updated by Riccardo De Contardi about 8 years ago
- Status changed from New to Closed
I close this one as duplicate of #78488 please continue the discussion there. Thank you.
If you think that this is the wrong decision, please reopen it or open a new issue with a reference to this one. Thank you.