If tag with target="_blank"
or uses window.open
the hacker can replace original tab with opener.location="https://www.evilsite.com";
by opened page.
It can be used in a phishing attack
To fix it add rel="noopener"
to and 'noopener'
as third argument for window.open(
:
window.open('https://www.your.url','_blank','noopener')
Add header Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
to make sure that the user once accessed
the HTTPS version of the page will always be automatically redirected to it bypassing requests for HTTP.