Link with target=“_blank” and rel=“noopener noreferrer” still vulnerable?

Question

I see people recommending that whenever one uses target=\"_blank\" in a link to open it in a different window, they should put rel=\"noopener noreferrer\"

Answer 1

Links with target="_blank" on them are vulnerable to having the referrer page being swapped out in the background while the user's attention is diverted by the newly-opened tab. This is known as reverse tabnapping:

The referring page is stored in window.opener, and a malicious site could modify this through:

if (window.opener) {
   window.opener.location = "https://phish.example.com";
}

Adding rel="noopener noreferrer" fixes this vulnerability in all major browsers.

Note that you could theoretically remove the rel client-side through manipulation... but why would you want to? All you are doing is deliberately making yourself vulnerable to the attack.

Other users who visit the same website (and don't modify their own client-side code) would still be safe, as the server would still serve up the rel="noopener noreferrer". Your removal of it only applies to you.