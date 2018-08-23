blankshield

Prevent reverse tabnabbing based phishing attacks that take advantage of _blank targets. Demo. The library has been tested and is compatible with the latest versions of Chrome, Firefox, Safari, Opera, as well as IE6-11. This is a cross-browser solution for browsers that do not support noopener.

Overview

Tabs or windows opened using JavaScript or target="_blank" have some limited access to the parent window, ignoring cross-origin restrictions. Among that is the ability to redirect the parent tab or window using window.opener.location .

While it may seem harmless, a phishing attack is possible when web applications permit or make use of user-submitted anchors with target="_blank" or window.open() . Consider the following scenario:

You're an admin using some forum or chat software. You're currently logged into the app, and view a message left by a user. The user asks or convinces you to click a link in his message, which opens in a new tab. While the new page may look completely safe - perhaps just a screenshot or bug report in some HTML, it executes the following JS:

window .opener.location.assign( 'https://yourcompanyname.phishing.com' );

What you don't realize is that while dealing with this illegitimate customer or user complaint, your application's tab was redirected in the background. To what? An identical phishing website, simply requesting that you enter your credentials to log back in.

Is there a chance you might not check the URL? That you didn't notice the tab icon refresh? While many are suspicious of links they click and new tabs they open - what about existing tabs?

Vulnerable browsers

The following table outlines the scope of affected browsers:

Browser Click Shift + click Meta/Ctrl + click Chrome 40 x x x Firefox 34 Opera 26 x x x Safari 7, 8 x IE6...11 [1]

[1] IE is not vulnerable to the attack by default. However, this can change depending on security zone settings.

Installation

The library can be installed via npm:

npm install --save blankshield

Or using bower:

bower install blankshield

Usage

blankshield.js works in global, CommonJS and AMD contexts.

blankshield is the main function exported by the library. It accepts an anchor element or array of elements, adding an event listener to each to help mitigate a potential reverse tabnabbing attack. For performance, any supplied object with a length attribute is assumed to be an array.

blankshield( document .getElementById( 'some-anchor' )); blankshield( document .getElementsByClassName( 'user-submitted-link' )); blankshield( document .getElementsByTagName( 'a' )); blankshield( document .querySelectorAll( 'a[target=_blank]' )); blankshield($( 'a[target=_blank]' )); var anchor = document .getElementById( 'some-anchor' ) anchor.addEventListener( 'click' , function ( e ) { e.stopImmediatePropagation(); }); blankshield( document .getElementById( 'some-anchor' ));

Accepts the same arguments as window.open. If the strWindowName is not equal to one of the safe targets (_top, _self or _parent), then it opens the destination url using "window.open" from an injected iframe, then removes the iframe. This behavior applies to all browsers except IE < 11, which use "window.open" followed by setting the child window's opener to null. If the strWindowName is set to some other value, the url is simply opened with window.open().

blankshield.open( 'https://www.github.com/danielstjules' ); $( 'body' ).on( 'click' , 'a[target=_blank]' , function ( event ) { var href = $( this ).attr( 'href' ); blankshield.open(href); event.preventDefault(); });

Patches window.open() to use blankshield.open() for _blank targets.

blankshield.patch();

Solutions

A handful of solutions exist to prevent this sort of attack. You could: