Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1022 (使用windows.opener访问指向不可信目标的web链接) — Vulnerability Class 12

12 vulnerabilities classified as CWE-1022 (使用windows.opener访问指向不可信目标的web链接). AI Chinese analysis included.

CWE-1022 represents a security weakness where web applications generate links to untrusted external sites without adequately restricting the target page’s access to the originating window’s properties. Attackers typically exploit this vulnerability by using the `target="_blank"` attribute to open external links in new tabs, allowing the malicious site to manipulate the `window.opener` object. By modifying critical properties like `window.opener.location`, the attacker can redirect the original user to a phishing site or execute cross-site scripting attacks, effectively hijacking the user’s session or trust. To prevent this, developers must implement the `rel="noopener noreferrer"` attributes on all external links. This practice severs the connection between the new window and the opener, ensuring that the external site cannot access or modify the parent window’s properties, thereby neutralizing the attack vector and preserving user security.

MITRE CWE Description
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.
Common Consequences (1)
ConfidentialityAlter Execution Logic
The user may be redirected to an untrusted page that contains undesired content or malicious script code.
Mitigations (3)
Architecture and DesignSpecify in the design that any linked external document must not be granted access to the location object of the calling page.
ImplementationWhen creating a link to an external document using the <a> tag with a defined target, for example "_blank" or a named frame, provide the rel attribute with a value "noopener noreferrer". If opening the external document in a new window via javascript, then reset the opener by setting it equal to null.
ImplementationDo not use "_blank" targets. However, this can affect the usability of the application.
Examples (1)
In this example, the application opens a link in a named window/tab without taking precautions to prevent the called page from tampering with the calling page's location in the browser.
<a href="http://attacker-site.example.com/useful-page.html" target="_blank">
Bad · HTML
window.opener.location = 'http://phishing.example.org/popular-bank-page';
Attack · JavaScript
CVE IDTitleCVSSSeverityPublished
CVE-2025-59842 JupyterLab LaTeX typesetter links did not enforce `noopener` attribute — jupyterlab 6.5 -2025-09-26
CVE-2025-42941 Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad) — SAP Fiori (Launchpad) 3.5 Low2025-08-12
CVE-2025-33014 IBM Sterling B2B Integrator and IBM Sterling File Gateway link injection — Sterling B2B Integrator 5.4 Medium2025-07-18
CVE-2024-39727 IBM Engineering Lifecycle Optimization - Engineering Insights tabnabbing — Engineering Insights 6.1 Medium2024-12-25
CVE-2018-25089 glb Meetup Tag Extension Link Attribute reverse tabnabbing — Meetup Tag Extension 3.5 Low2023-08-28
CVE-2022-4927 ualbertalib NEOSDiscovery _refworks.html.erb reverse tabnabbing — NEOSDiscovery 5.5 Medium2023-03-05
CVE-2018-25058 Twitter-Post-Fetcher Link Target twitterFetcher.js reverse tabnabbing — Twitter-Post-Fetcher 4.2 Medium2022-12-29
CVE-2020-36624 ahorner text-helpers translation.rb reverse tabnabbing — text-helpers 6.3 Medium2022-12-22
CVE-2022-2600 Auto-hyperlink URLs <= 5.4.1 - Tab Nabbing — Auto-hyperlink URLs 5.4 -2022-08-22
CVE-2022-1583 External Links in New Window / New Tab < 1.43 - Tabnabbing — External Links in New Window / New Tab 6.5 -2022-05-30
CVE-2021-33697 SAP ERP 安全漏洞 — SAP BusinessObjects Business Intelligence Platform (SAPUI5) 6.1 -2021-09-15
CVE-2021-39112 Atlassian Jira 输入验证错误漏洞 — Jira Server 6.1 -2021-08-25

Vulnerabilities classified as CWE-1022 (使用windows.opener访问指向不可信目标的web链接) represent 12 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.