HTML5 : Unsafe target link

Classification

OWASP Top 10 2017

A6-Security Misconfiguration

OWASP Top 10 2021

A4-Insecure Design A5-Security Misconfiguration

PCI DSS 4.0

7.2.6

HIPAA

§164.312 (a)(1)

CWE

CWE-266 CWE-1022

Overview

The application uses links with the attribute target="_blank", which allows you to load the page by reference in a new browser window. The loaded page accesses the source page through the window.opener object. Without setting restrictions on changes to the properties of the window.opener object, it is possible to redirect the user to a phishing site.

References

CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
OWASP Top 10 2017-A6-Security Misconfiguration
Target=“_blank” - the most underestimated vulnerability ever

MEDIUM

HTML5 : Unsafe target link

Classification

Overview

References

DerScanner Severity Score

Do you want to fix HTML5 : Unsafe target link in your application?

See also

HTML5 : Missing required cryptographic step

HTML5 : Weak hashing algorithm

HTML5 : Cross-site request forgery (CSRF)