I’m not suggesting that you should do this….just that you could if you wanted to.
What is target=”_blank”?
Adding the target attribute to a link specifies where to open the linked document; adding target=”_blank” to a link is the most popular method of ensuring a link is opened in a new window.
There are other target attribute values; target=”_self” will open the link in the same window as the link was clicked from. This is default and therefore isn’t usually added, much like rel=”follow” for links intended to pass PageRank.
The page we’re linking to gains partial access to the linking page via the window.opener object.
So the recipient of the link can change the window.opener.location to another page if he or she desires. Alex points out that this has implications for phishing attacks. His example is as follows:
Example attack: create a fake “viral” page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank) and every time someone clicks the link – execute
window.opener.location = ‘https://fakewebsite/facebook.com/PHISHING-PAGE.html’;
…redirecting to a page that asks the user to re-enter her Facebook password.
The attribute could also be used to open (non-malicious) commercial pages. Next time you’re looking through your backlink profile look out for links using target=”blank” (there will probably be quite a few); instead of asking the site owner to redirect the link you can do it yourself, to any page you want, with 100% success. Although there’s absolutely no guarantee that this will pass PageRank.
Alex ALSO points out that Google knows that this can be done via links with the target=”_blank” attribute and doesn’t seem to care, saying:
Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can’t be meaningfully mitigated by any single website; in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones.
It’s ironic that Google says it thinks the web can’t be policed by any single website.
- CSS-Tricks has a list of when to/when not to use the target=”_blank” attribute.
- Mathias Bynens seems to have discovered the vulnerability and suggests you probably shouldn’t use the attribute unless you have to…but published recommendations on how to fix it on Github.
- h/t to Branded3 legend Douglas Radburn for tweeting this!