The vulnerability target = "_ blank" and the solution rel = "noopener noreferrer" of WordPress

Since version 4.7.4, WordPress incorporates the new version of the TinyMCE editor included which solves the one known as vulnerability target = "_ blank" and it does so by automatically adding to this type of links the relation rel = "noopener noreferrer" did you notice?

When the debate arose in the article about WordPress 4.7 news and then later opened it in the support forums I started to investigate a bit so let's put some light on this Subject

What is vulnerability target = "_ blank" ?

This vulnerability, also known as reverse tabnabbing a type of attack of phishing in which the attacker replaces the pe legitimate, and reliable, by a malicious document using the selector window.opener.location.assign () when accessed through an opening link in new window / tab, or type target = "_ Blank".

What the attacker does is, using the selector window.opener.location to take the user to some false page, which pretends to be the original one, or executes some JavaScript on the opening page that the user trusts.

Explained in a simple way, with the reverse tabnabbing when you click on a web to open a new page, and it opens in a new tab, if you then go back to the original web, without you realizing it, that false page is automatically changed, which pretends to be the good one .

It seems the original web page that you were seeing but has a different url (which can be clearly seen). The problem is that most of the users do not realize that the URL has changed, since they are not usually fixed almost never, unless they think they are on a website they trust, for example this one.

For example, the fake website will ask you to access your account again, and of course, but you are no longer where you thought you are coming from but in a copy of the original tab in which there is another document, in this case malicious. If you enter your data you have already delivered to the hackers and they will do anything with your credentials.

On this page you have an example (not malicious) of the reverse tabnabbing if you want to try it on your meats without danger.

What does the relation rel = "noopener noreferrer" ?

The mode of avoid vulnerability target = "_ blank" or reverse tabnabbing is to add to your links that open in a new window / tab link relationship rel = "noopener" and since the Firefox browser does not recognize this relationship, add the relation noreferrer after all, adding this: rel = "noopener noreferrer" .

] In this way, to avoid vulnerability, your external link should be something like this:

From this This eliminates the possibility of applying the aforementioned vulnerability. Simple, right? The bad thing is if you have to add this to each external link one by one, but we use WordPress right?

Does SEO affect adding noopener noreferrer ?

A question that has emerged in the forums and right here in the comments is whether this will affect something, for example, the links that have the attribute nofollow then modifies them by adding the attributes noopener noreferrer . [19659004] I mean if you had a link of this type in an entry …

If you update it it will be like this:

And the same question has arisen in general, if adding these link relations affects something to SEO .

Well, no, as they have responded from Google to questions from webmasters is a simple link, does not add or remove or affect the positioning to links, have nofollow or not, to which is added the noopener noreferrer [19659003]

How do you solve this WordPress vulnerability?

As I mentioned at the beginning of the article, WordPress, in version 4.7.4, incorporated the editor update included TinyMCE that solves this vulnerability by automatically adding the relation rel = "noopener noreferrer" to all links with target = "_ blank" tant or the new contents as existing ones if you open them for editing, a quite effective solution.

Of course, it is clear that WordPress / TinyMCE only adds the relation noopener noreferrer in the links that you decide that open in new window / tab, that is, in which you do this:

What if I do not want WordPress to protect me from the vulnerability reverse tabnabbing or what's it called?

If you prefer to live dangerously you can deactivate this functionality of the WordPress editor TinyMCE by adding the following code to your utility plugin or to the file functions.php of the active child topic, but DO NOT DO IT :

So what do I do?

Nothing really. The fact that the relation rel = "noopener noreferrer" is added to the links that open in a new window / tab is a security feature that protects you and your visitors from a serious vulnerability , theft of information and the fact that WordPress / TinyMCE protect us from this is good.

More information:

Loading …

That may also help you: