Fork me on GitHub

The first link above is vulnerable to reverse tabnabbing since it uses target="_blank". Try clicking the link normally, or with a modifier key (shift, meta, etc), but without using a right click context menu. You'll be taken to a new tab, and this page will redirect to a fake attacker's "phishing page". The new tab is able to redirect this page using window.opener.location. The second link, however, is protected by using blankshield(), the function provided by this library.

Why is this harmful? Because neither the linked-to page, nor the phishing page lie on the same domain or origin as this GitHub page. The site doesn't need to be compromised. It just needs to allow user-submitted anchors with target="_blank".

The following table outlines the scope of affected browsers:

Browser Click Shift + click Meta/Ctrl + click
Chrome 40 x x x
Firefox 34
Opera 26 x x x
Safari 7, 8 x
IE6...11 [1]
[1] IE is not vulnerable to the attack by default. However, this can change depending on security zone settings.
This demo contains a fake static HTML bug tracker to help visualize the attack.
You are logged in as Admin

Fake bug tracker

Daniel St. Jules

Posts: 3
GitHub

A dummy bug report vulnerable to the attack

This is not a real issue tracker. But in this scenario, a user is requesting that you visit some page in hopes of acquiring your credentials. Unlike other phishing attacks, the opened link is not the final destination. To see how, click this link without using a modifier key or context menu. After being opened in a new tab due to its use of target="_blank", it will redirect this page. But using blankshield, clicking here will not cause this tab to redirect.

Click here to check out blankshield on GitHub and prevent this sort of attack