If you follow This Week in Linux you’ll know Firefox 79 is now adding the rel=“noopener” attribute to all links using target=“_blank”. I believe they’re the first browser to do this.
Example: <a href="example.com" target="_blank" rel="noopener">link</a>
Because of how Web standards work, without rel=“noopener” example.com
can implant Javascript into any browser tab containing any Website in which a user clicked that example target=“_blank” link unless rel=“noopener” is present. An issue if example.com
is evil or if they’re compromised.
You can confirm if your browser is vulnerable here: About rel=noopener
Fix for Firefox ESR and Firefox < 79:
- Enter about:config into the address bar and press Enter.
- Click “I accept the risk!”
- Search for “dom.targetBlankNoOpener.enabled”
- Double click on the line which turns the value to true.
Fix for Chromium:
- Do your own research finding a browser extension that adds noopener, the best one I could find is this one with 244 users: https://chrome.google.com/webstore/detail/no-opener-no-phishers/hieejlcohhkjbpiihgphcnaaiehphike
When in doubt:
- Right-click the link and choose “Copy Link Location” or “Copy link address”
- Open a new tab, paste to the Address Bar and press Enter.