Common Weakness Enumeration

CWE-1022

Allowed

Use of Web Link to Untrusted Target with window.opener Access

Abstraction: Variant · Status: Incomplete

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.

26 vulnerabilities reference this CWE, most recent first.

GHSA-PR3F-84FH-7R83

Vulnerability from github – Published: 2025-07-18 21:30 – Updated: 2025-08-02 03:31
VLAI
Details

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.4 uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims’ web browser.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-33014"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1022"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-18T19:15:22Z",
    "severity": "MODERATE"
  },
  "details": "IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.4\u00a0uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims\u2019 web browser.",
  "id": "GHSA-pr3f-84fh-7r83",
  "modified": "2025-08-02T03:31:20Z",
  "published": "2025-07-18T21:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33014"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7240065"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-RG9F-CRX8-F39Q

Vulnerability from github – Published: 2025-08-12 03:31 – Updated: 2025-08-12 03:31
VLAI

{
  "affected": [],
  "aliases": [
    "CVE-2025-42941"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1022"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-12T03:15:26Z",
    "severity": "LOW"
  },
  "details": "SAP Fiori (Launchpad) is vulnerable to Reverse Tabnabbing vulnerability due to inadequate external navigation protections for its link (\u003ca\u003e) elements. An attacker with administrative user privileges could exploit this by leveraging compromised or malicious pages. While administrative access is necessary for certain configurations, the attacker does not need the administrative privileges to execute the attack. This could result in unintended manipulation of user sessions or exposure of sensitive information. The issue impacts the confidentiality and integrity of the system, but the availability remains unaffected.",
  "id": "GHSA-rg9f-crx8-f39q",
  "modified": "2025-08-12T03:31:52Z",
  "published": "2025-08-12T03:31:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42941"
    },
    {
      "type": "WEB",
      "url": "https://me.sap.com/notes/3624943"
    },
    {
      "type": "WEB",
      "url": "https://url.sap/sapsecuritypatchday"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-V6P8-2VXR-R5M4

Vulnerability from github – Published: 2023-08-28 15:30 – Updated: 2023-08-28 15:30
VLAI
Details

A vulnerability was found in glb Meetup Tag Extension 0.1 on MediaWiki. It has been rated as problematic. This issue affects some unknown processing of the component Link Attribute Handler. The manipulation leads to use of web link to untrusted target with window.opener access. Upgrading to version 0.2 is able to address this issue. The identifier of the patch is 850c726d6bbfe0bf270801fbb92a30babea4155c. It is recommended to upgrade the affected component. The identifier VDB-238157 was assigned to this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-25089"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1022"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-28T13:15:09Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in glb Meetup Tag Extension 0.1 on MediaWiki. It has been rated as problematic. This issue affects some unknown processing of the component Link Attribute Handler. The manipulation leads to use of web link to untrusted target with window.opener access. Upgrading to version 0.2 is able to address this issue. The identifier of the patch is 850c726d6bbfe0bf270801fbb92a30babea4155c. It is recommended to upgrade the affected component. The identifier VDB-238157 was assigned to this vulnerability.",
  "id": "GHSA-v6p8-2vxr-r5m4",
  "modified": "2023-08-28T15:30:16Z",
  "published": "2023-08-28T15:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25089"
    },
    {
      "type": "WEB",
      "url": "https://github.com/glb/mediawiki-tag-extension-meetup/commit/850c726d6bbfe0bf270801fbb92a30babea4155c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/glb/mediawiki-tag-extension-meetup/releases/tag/v0.2"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.238157"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.238157"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VVFJ-2JQX-52JM

Vulnerability from github – Published: 2025-09-26 14:26 – Updated: 2025-09-26 19:24
VLAI
Summary
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
Details

Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute.

This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if: - links generated by those extensions included target=_blank (no such extensions are known at time of writing) and - they were to click on a link generated in LaTeX (typically visibly different from other links).

For consistency with handling on other links, new versions of JupyterLab will enforce noopener and target=_blank on all links generated by typesetters. The former will harden the resilience of JupyterLab to extensions with lack of secure defaults in link rendering, and the latter will improve user experience by preventing accidental state loss when clicking on links rendered by LaTeX typesetters.

Impact

Since the official LaTeX typesetter extensions for JupyterLab: jupyterlab-mathjax (default), jupyterlab-mathjax2 and jupyterlab-katex do not include the target=_blank, there is no impact for JupyterLab users.

Patches

JupyterLab 4.4.8

Workarounds

No workarounds are necessary.

References

None

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.7"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1022"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-26T14:26:40Z",
    "nvd_published_at": "2025-09-26T16:15:48Z",
    "severity": "LOW"
  },
  "details": "Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the `noopener` attribute.\n\nThis is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if:\n- links generated by those extensions included `target=_blank` (no such extensions are known at time of writing) and\n- they were to click on a link generated in LaTeX (typically visibly different from other links).\n\nFor consistency with handling on other links, new versions of JupyterLab will enforce `noopener` and `target=_blank` on all links generated by typesetters. The former will harden the resilience of JupyterLab to extensions with lack of secure defaults in link rendering, and the latter will improve user experience by preventing accidental state loss when clicking on links rendered by LaTeX typesetters.\n\n### Impact\n\nSince the official LaTeX typesetter extensions for JupyterLab: `jupyterlab-mathjax` (default), `jupyterlab-mathjax2` and `jupyterlab-katex` do not include the `target=_blank`, there is no impact for JupyterLab users.\n\n### Patches\n\nJupyterLab 4.4.8\n\n### Workarounds\n\nNo workarounds are necessary.\n\n### References\n\nNone",
  "id": "GHSA-vvfj-2jqx-52jm",
  "modified": "2025-09-26T19:24:06Z",
  "published": "2025-09-26T14:26:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vvfj-2jqx-52jm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59842"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterlab/jupyterlab/commit/88ef373039a8cc09f27d3814382a512d9033675c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterlab/jupyterlab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "JupyterLab LaTeX typesetter links did not enforce `noopener` attribute"
}

GHSA-X9P2-FXQ6-2M5F

Vulnerability from github – Published: 2019-06-20 14:33 – Updated: 2021-08-16 23:44
VLAI
Summary
Reverse Tabnapping in swagger-ui
Details

Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page. This is commonly used for phishing attacks.

Recommendation

Upgrade to version 3.18.0 or later.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "swagger-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1022"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2019-06-20T14:13:56Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `swagger-ui` prior to 3.18.0 are vulnerable to [Reverse Tabnapping](https://www.owasp.org/index.php/Reverse_Tabnabbing). The package uses `target=\u0027_blank\u0027` in anchor tags, allowing attackers to access `window.opener` for the original page. This is commonly used for phishing attacks.\n\n\n## Recommendation\n\nUpgrade to version 3.18.0 or later.",
  "id": "GHSA-x9p2-fxq6-2m5f",
  "modified": "2021-08-16T23:44:47Z",
  "published": "2019-06-20T14:33:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-ui/pull/4789"
    },
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-ui/commit/3f4cae3334fdd492a373f4453bd03a9ebd87becf"
    },
    {
      "type": "WEB",
      "url": "https://github.com/swagger-api/swagger-ui/releases/tag/v3.18.0"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SWAGGERUI-449808"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/975"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Reverse Tabnapping in swagger-ui"
}

GHSA-XCXH-6CV4-Q8P8

Vulnerability from github – Published: 2025-08-12 00:13 – Updated: 2025-08-12 20:23
VLAI
Summary
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
Details

Summary

When adding a "web link" to the HFS virtual filesystem, the frontend opens it with target="_blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab.

Details

While most modern browsers have fixes already implemented for this target="_blank" exploit at the browser level, users on outdated browsers remain vulnerable. This means that if an admin of the HFS instance adds a link to an external third-party service (that they believe is safe at the time) and that service they added later becomes compromised, the malicious page could replace the original HFS tab's content with a phishing page. This does not require the admin account itself to be compromised, only that a legitimate linked site turns malicious.

Impact

Affected users (people using old browsers without the browser level fix) could be misled into entering their HFS credentials or other sensitive information into a fake site controlled by an attacker. This vulnerability is fixed in most modern browsers, but adding rel="noopener noreferrer" remains a best practice to protect legacy environments.

PoC

Firstly, in the HFS admin page, under the filesystem (/~/admin/#/fs) press "Add" then "web link" then set the link to take the user to to an HTML file that exploits this vulnerability, here is an example of a malicious HTML file's code:

``` window.opener.location = "https://example.org"; Error loading...

```

Now, in the HFS folder you placed this web link in, open HFS and click the web link, if you aren't on a modern browser that fixed this vulnerability on the browser level, then switch back to the HFS tab that opened it, and you should be taken to "https://example.org" if you tried the code I provided, or whatever other page you tried.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.57.9"
      },
      "package": {
        "ecosystem": "npm",
        "name": "hfs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.57.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1022"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-12T00:13:03Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Summary\nWhen adding a \"web link\" to the HFS virtual filesystem, the frontend opens it with `target=\"_blank\"` but without the `rel=\"noopener noreferrer\"` attribute. This allows the opened page to use the `window.opener` property to change the location of the original HFS tab.\n\n### Details\nWhile most modern browsers have fixes already implemented for this `target=\"_blank\"` exploit at the browser level, users on outdated browsers remain vulnerable. This means that if an admin of the HFS instance adds a link to an external third-party service (that they believe is safe at the time) and that service they added later becomes compromised, the malicious page could replace the original HFS tab\u0027s content with a phishing page. This does not require the admin account itself to be compromised, only that a legitimate linked site turns malicious.\n\n### Impact\nAffected users (people using old browsers without the browser level fix) could be misled into entering their HFS credentials or other sensitive information into a fake site controlled by an attacker. This vulnerability is fixed in most modern browsers, but adding `rel=\"noopener noreferrer\"` remains a best practice to protect legacy environments.\n\n\n### PoC\n\nFirstly, in the HFS admin page, under the filesystem (/~/admin/#/fs) press \"Add\" then \"web link\" then set the link to take the user to to an HTML file that exploits this vulnerability, here is an example of a malicious HTML file\u0027s code:\n\n```\u003chtml\u003e\n \u003cbody\u003e\n  \u003cscript\u003e\n    window.opener.location = \"https://example.org\";\n  \u003c/script\u003e\n\u003cb\u003eError loading...\u003c/b\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\nNow, in the HFS folder you placed this web link in, open HFS and click the web link, if you aren\u0027t on a modern browser that fixed this vulnerability on the browser level, then switch back to the HFS tab that opened it, and you should be taken to \"https://example.org\" if you tried the code I provided, or whatever other page you tried.",
  "id": "GHSA-xcxh-6cv4-q8p8",
  "modified": "2025-08-12T20:23:55Z",
  "published": "2025-08-12T00:13:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rejetto/hfs/security/advisories/GHSA-xcxh-6cv4-q8p8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rejetto/hfs/commit/6531bcd2ab285af88f91831e30d8a03f5b9fe20d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rejetto/hfs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HFS user adding a \"web link\" in HFS is vulnerable to \"target=_blank\" exploit"
}

Mitigation
Architecture and Design

Specify in the design that any linked external document must not be granted access to the location object of the calling page.

Mitigation
Implementation
  • When creating a link to an external document using the <a> tag with a defined target, for example "_blank" or a named frame, provide the rel attribute with a value "noopener noreferrer".
  • If opening the external document in a new window via javascript, then reset the opener by setting it equal to null.
Mitigation
Implementation

Do not use "_blank" targets. However, this can affect the usability of the application.

No CAPEC attack patterns related to this CWE.