CWE-1022
AllowedUse of Web Link to Untrusted Target with window.opener Access
Abstraction: Variant · Status: Incomplete
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
26 vulnerabilities reference this CWE, most recent first.
GHSA-PR3F-84FH-7R83
Vulnerability from github – Published: 2025-07-18 21:30 – Updated: 2025-08-02 03:31IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.4 uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims’ web browser.
{
"affected": [],
"aliases": [
"CVE-2025-33014"
],
"database_specific": {
"cwe_ids": [
"CWE-1022"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-18T19:15:22Z",
"severity": "MODERATE"
},
"details": "IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.4\u00a0uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims\u2019 web browser.",
"id": "GHSA-pr3f-84fh-7r83",
"modified": "2025-08-02T03:31:20Z",
"published": "2025-07-18T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33014"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/7240065"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RG9F-CRX8-F39Q
Vulnerability from github – Published: 2025-08-12 03:31 – Updated: 2025-08-12 03:31SAP Fiori (Launchpad) is vulnerable to Reverse Tabnabbing vulnerability due to inadequate external navigation protections for its link () elements. An attacker with administrative user privileges could exploit this by leveraging compromised or malicious pages. While administrative access is necessary for certain configurations, the attacker does not need the administrative privileges to execute the attack. This could result in unintended manipulation of user sessions or exposure of sensitive information. The issue impacts the confidentiality and integrity of the system, but the availability remains unaffected.
{
"affected": [],
"aliases": [
"CVE-2025-42941"
],
"database_specific": {
"cwe_ids": [
"CWE-1022"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-12T03:15:26Z",
"severity": "LOW"
},
"details": "SAP Fiori (Launchpad) is vulnerable to Reverse Tabnabbing vulnerability due to inadequate external navigation protections for its link (\u003ca\u003e) elements. An attacker with administrative user privileges could exploit this by leveraging compromised or malicious pages. While administrative access is necessary for certain configurations, the attacker does not need the administrative privileges to execute the attack. This could result in unintended manipulation of user sessions or exposure of sensitive information. The issue impacts the confidentiality and integrity of the system, but the availability remains unaffected.",
"id": "GHSA-rg9f-crx8-f39q",
"modified": "2025-08-12T03:31:52Z",
"published": "2025-08-12T03:31:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42941"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3624943"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-V6P8-2VXR-R5M4
Vulnerability from github – Published: 2023-08-28 15:30 – Updated: 2023-08-28 15:30A vulnerability was found in glb Meetup Tag Extension 0.1 on MediaWiki. It has been rated as problematic. This issue affects some unknown processing of the component Link Attribute Handler. The manipulation leads to use of web link to untrusted target with window.opener access. Upgrading to version 0.2 is able to address this issue. The identifier of the patch is 850c726d6bbfe0bf270801fbb92a30babea4155c. It is recommended to upgrade the affected component. The identifier VDB-238157 was assigned to this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-25089"
],
"database_specific": {
"cwe_ids": [
"CWE-1022"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-08-28T13:15:09Z",
"severity": "LOW"
},
"details": "A vulnerability was found in glb Meetup Tag Extension 0.1 on MediaWiki. It has been rated as problematic. This issue affects some unknown processing of the component Link Attribute Handler. The manipulation leads to use of web link to untrusted target with window.opener access. Upgrading to version 0.2 is able to address this issue. The identifier of the patch is 850c726d6bbfe0bf270801fbb92a30babea4155c. It is recommended to upgrade the affected component. The identifier VDB-238157 was assigned to this vulnerability.",
"id": "GHSA-v6p8-2vxr-r5m4",
"modified": "2023-08-28T15:30:16Z",
"published": "2023-08-28T15:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25089"
},
{
"type": "WEB",
"url": "https://github.com/glb/mediawiki-tag-extension-meetup/commit/850c726d6bbfe0bf270801fbb92a30babea4155c"
},
{
"type": "WEB",
"url": "https://github.com/glb/mediawiki-tag-extension-meetup/releases/tag/v0.2"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.238157"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.238157"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VVFJ-2JQX-52JM
Vulnerability from github – Published: 2025-09-26 14:26 – Updated: 2025-09-26 19:24Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute.
This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if:
- links generated by those extensions included target=_blank (no such extensions are known at time of writing) and
- they were to click on a link generated in LaTeX (typically visibly different from other links).
For consistency with handling on other links, new versions of JupyterLab will enforce noopener and target=_blank on all links generated by typesetters. The former will harden the resilience of JupyterLab to extensions with lack of secure defaults in link rendering, and the latter will improve user experience by preventing accidental state loss when clicking on links rendered by LaTeX typesetters.
Impact
Since the official LaTeX typesetter extensions for JupyterLab: jupyterlab-mathjax (default), jupyterlab-mathjax2 and jupyterlab-katex do not include the target=_blank, there is no impact for JupyterLab users.
Patches
JupyterLab 4.4.8
Workarounds
No workarounds are necessary.
References
None
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.4.7"
},
"package": {
"ecosystem": "PyPI",
"name": "jupyterlab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-59842"
],
"database_specific": {
"cwe_ids": [
"CWE-1022"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-26T14:26:40Z",
"nvd_published_at": "2025-09-26T16:15:48Z",
"severity": "LOW"
},
"details": "Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the `noopener` attribute.\n\nThis is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if:\n- links generated by those extensions included `target=_blank` (no such extensions are known at time of writing) and\n- they were to click on a link generated in LaTeX (typically visibly different from other links).\n\nFor consistency with handling on other links, new versions of JupyterLab will enforce `noopener` and `target=_blank` on all links generated by typesetters. The former will harden the resilience of JupyterLab to extensions with lack of secure defaults in link rendering, and the latter will improve user experience by preventing accidental state loss when clicking on links rendered by LaTeX typesetters.\n\n### Impact\n\nSince the official LaTeX typesetter extensions for JupyterLab: `jupyterlab-mathjax` (default), `jupyterlab-mathjax2` and `jupyterlab-katex` do not include the `target=_blank`, there is no impact for JupyterLab users.\n\n### Patches\n\nJupyterLab 4.4.8\n\n### Workarounds\n\nNo workarounds are necessary.\n\n### References\n\nNone",
"id": "GHSA-vvfj-2jqx-52jm",
"modified": "2025-09-26T19:24:06Z",
"published": "2025-09-26T14:26:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vvfj-2jqx-52jm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59842"
},
{
"type": "WEB",
"url": "https://github.com/jupyterlab/jupyterlab/commit/88ef373039a8cc09f27d3814382a512d9033675c"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyterlab/jupyterlab"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "JupyterLab LaTeX typesetter links did not enforce `noopener` attribute"
}
GHSA-X9P2-FXQ6-2M5F
Vulnerability from github – Published: 2019-06-20 14:33 – Updated: 2021-08-16 23:44Versions of swagger-ui prior to 3.18.0 are vulnerable to Reverse Tabnapping. The package uses target='_blank' in anchor tags, allowing attackers to access window.opener for the original page. This is commonly used for phishing attacks.
Recommendation
Upgrade to version 3.18.0 or later.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "swagger-ui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.18.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1022"
],
"github_reviewed": true,
"github_reviewed_at": "2019-06-20T14:13:56Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Versions of `swagger-ui` prior to 3.18.0 are vulnerable to [Reverse Tabnapping](https://www.owasp.org/index.php/Reverse_Tabnabbing). The package uses `target=\u0027_blank\u0027` in anchor tags, allowing attackers to access `window.opener` for the original page. This is commonly used for phishing attacks.\n\n\n## Recommendation\n\nUpgrade to version 3.18.0 or later.",
"id": "GHSA-x9p2-fxq6-2m5f",
"modified": "2021-08-16T23:44:47Z",
"published": "2019-06-20T14:33:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-ui/pull/4789"
},
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-ui/commit/3f4cae3334fdd492a373f4453bd03a9ebd87becf"
},
{
"type": "WEB",
"url": "https://github.com/swagger-api/swagger-ui/releases/tag/v3.18.0"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-SWAGGERUI-449808"
},
{
"type": "WEB",
"url": "https://www.npmjs.com/advisories/975"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Reverse Tabnapping in swagger-ui"
}
GHSA-XCXH-6CV4-Q8P8
Vulnerability from github – Published: 2025-08-12 00:13 – Updated: 2025-08-12 20:23Summary
When adding a "web link" to the HFS virtual filesystem, the frontend opens it with target="_blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab.
Details
While most modern browsers have fixes already implemented for this target="_blank" exploit at the browser level, users on outdated browsers remain vulnerable. This means that if an admin of the HFS instance adds a link to an external third-party service (that they believe is safe at the time) and that service they added later becomes compromised, the malicious page could replace the original HFS tab's content with a phishing page. This does not require the admin account itself to be compromised, only that a legitimate linked site turns malicious.
Impact
Affected users (people using old browsers without the browser level fix) could be misled into entering their HFS credentials or other sensitive information into a fake site controlled by an attacker. This vulnerability is fixed in most modern browsers, but adding rel="noopener noreferrer" remains a best practice to protect legacy environments.
PoC
Firstly, in the HFS admin page, under the filesystem (/~/admin/#/fs) press "Add" then "web link" then set the link to take the user to to an HTML file that exploits this vulnerability, here is an example of a malicious HTML file's code:
``` window.opener.location = "https://example.org"; Error loading...
```
Now, in the HFS folder you placed this web link in, open HFS and click the web link, if you aren't on a modern browser that fixed this vulnerability on the browser level, then switch back to the HFS tab that opened it, and you should be taken to "https://example.org" if you tried the code I provided, or whatever other page you tried.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.57.9"
},
"package": {
"ecosystem": "npm",
"name": "hfs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.57.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1022"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-12T00:13:03Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\nWhen adding a \"web link\" to the HFS virtual filesystem, the frontend opens it with `target=\"_blank\"` but without the `rel=\"noopener noreferrer\"` attribute. This allows the opened page to use the `window.opener` property to change the location of the original HFS tab.\n\n### Details\nWhile most modern browsers have fixes already implemented for this `target=\"_blank\"` exploit at the browser level, users on outdated browsers remain vulnerable. This means that if an admin of the HFS instance adds a link to an external third-party service (that they believe is safe at the time) and that service they added later becomes compromised, the malicious page could replace the original HFS tab\u0027s content with a phishing page. This does not require the admin account itself to be compromised, only that a legitimate linked site turns malicious.\n\n### Impact\nAffected users (people using old browsers without the browser level fix) could be misled into entering their HFS credentials or other sensitive information into a fake site controlled by an attacker. This vulnerability is fixed in most modern browsers, but adding `rel=\"noopener noreferrer\"` remains a best practice to protect legacy environments.\n\n\n### PoC\n\nFirstly, in the HFS admin page, under the filesystem (/~/admin/#/fs) press \"Add\" then \"web link\" then set the link to take the user to to an HTML file that exploits this vulnerability, here is an example of a malicious HTML file\u0027s code:\n\n```\u003chtml\u003e\n \u003cbody\u003e\n \u003cscript\u003e\n window.opener.location = \"https://example.org\";\n \u003c/script\u003e\n\u003cb\u003eError loading...\u003c/b\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\nNow, in the HFS folder you placed this web link in, open HFS and click the web link, if you aren\u0027t on a modern browser that fixed this vulnerability on the browser level, then switch back to the HFS tab that opened it, and you should be taken to \"https://example.org\" if you tried the code I provided, or whatever other page you tried.",
"id": "GHSA-xcxh-6cv4-q8p8",
"modified": "2025-08-12T20:23:55Z",
"published": "2025-08-12T00:13:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rejetto/hfs/security/advisories/GHSA-xcxh-6cv4-q8p8"
},
{
"type": "WEB",
"url": "https://github.com/rejetto/hfs/commit/6531bcd2ab285af88f91831e30d8a03f5b9fe20d"
},
{
"type": "PACKAGE",
"url": "https://github.com/rejetto/hfs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "HFS user adding a \"web link\" in HFS is vulnerable to \"target=_blank\" exploit"
}
Mitigation
Specify in the design that any linked external document must not be granted access to the location object of the calling page.
Mitigation
- When creating a link to an external document using the <a> tag with a defined target, for example "_blank" or a named frame, provide the rel attribute with a value "noopener noreferrer".
- If opening the external document in a new window via javascript, then reset the opener by setting it equal to null.
Mitigation
Do not use "_blank" targets. However, this can affect the usability of the application.
No CAPEC attack patterns related to this CWE.