• Home
• org.sonarsource.javascript
• javascript-checks
• 10.2.0.21568
• source code
• S5148.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S5148.html Maven / Gradle / Ivy

A newly opened window having access back to the originating window could allow basic phishing attacks (the window.opener object is not
null and thus window.opener.location can be set to a malicious website by the opened page).
For instance, an attacker can put a link (say: "http://example.com/mylink") on a popular website that changes, when opened, the original page to
"http://example.com/fake_login". On "http://example.com/fake_login" there is a fake login page which could trick real users to enter their
credentials.
Ask Yourself Whether

  
 The application opens untrusted external URL. 

There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
Use noopener to prevent untrusted pages from abusing window.opener.
Note: In Chrome 88+, Firefox 79+ or Safari 12.1+ target=_blank on anchors implies rel=noopener which make the protection
enabled by default.
Sensitive Code Example
window.open("https://example.com/dangerous");

Compliant Solution
window.open("https://example.com/dangerous", "WindowName", "noopener");

See

  
 OWASP Top 10 2021 Category A5 - Security Misconfiguration 
  
 Reverse Tabnabbing 
  
 MITRE, CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access 
  
 OWASP Top 10 2017 Category A6 - Security
  Misconfiguration 
  
 https://mathiasbynens.github.io/rel-noopener/