The access it gets can do harm and while some of the permissions are automatically negated by cross-domain restrictions, window.location is fair game. Not only is this an issue in relation to phishing attacks, it’s also a privacy concern because the newly opened website has ongoing access to the browsing location of the original tab.
In order to restrict the behavior window.opener access, the original page needs to add a rel=”noopener” attribute to any link that has target=”_blank“. However, Firefox does not support that tag, so you should actually use rel=”noopener noreferrer” for full coverage.
This task is unfortunately easy to forget about, which is why I made this snippet.
$(document).ready(function() {
$('a').each(function() {
if( $(this).attr('target') == '_blank' ||
$(this).attr('rel') == 'noopener' ||
$(this).attr('rel') == 'noreferrer' ) {
$(this).attr('rel', 'noopener noreferrer');
}
});
});you need to enqueue this js as a separate JS file or include it in a existing one within your child theme. some themes allow for adding custom JS code which should work just fine as well.
