JavaScript : Unsafe target link

Classification

OWASP Top 10 2017

A6-Security Misconfiguration

OWASP Top 10 2021

A4-Insecure Design A5-Security Misconfiguration

PCI DSS 4.0

7.2.6

HIPAA

§164.312 (a)(1)

CWE

CWE-266 CWE-1022

Overview

The application uses links with the attribute target="_blank", which allows you to load the page by reference in a new browser window. The loaded page accesses the source page through the window.opener object. Without setting restrictions on changes to the properties of the window.opener object, it is possible to redirect the user to a phishing site.

References

CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
OWASP Top 10 2017-A6-Security Misconfiguration
Target=“_blank” - the most underestimated vulnerability ever

MEDIUM

JavaScript : Unsafe target link

Classification

Overview

References

DerScanner Severity Score

Do you want to fix JavaScript : Unsafe target link in your application?

See also

JavaScript : Null salt

JavaScript : Empty encryption key

JavaScript : Unsafe Azure access control