Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Unsafe third-party link (target="_blank")

Avatar

Level 5
Level 5
8/6/19 10:34:21 AM

Hi All,

I am doing the scanning of my application(I am using AEM6.4) on IBM AppScan tool and found issue for "target="-blank" is unsafe. I am using newtab ( target="_blank") while authoring the URL in text content in RTE. And as per the tool recommendation the fix is :- Add the attribute rel = "noopener noreferrer" to each link element with target="_blank".

My doubt is do I need to add this fix with all of my target="_blank" on my AEM pages because I never used it. Please suggest

Regards,

Views

4.5K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 2
Level 2
8/6/19 10:10:31 PM

The third-party links with target="_blank" attribute and no rel="noopener noreferrer" attribute allows linked page partial access to the linking page window object. object of the original page to the linked page via window.opener object.This can be exploited for phishing attacks if the linked page is malicious.

So in your case If this is coming from RTE only then you need to place this as an authoring guildeline, But however , if this is coming from a hyperlink or CTA component then you should handle this programmatically, you can write an utility which identifies whether an link is external or not and based on that plance rel="noopener noreferrer" with the anchor tag.

View solution in original post

Views

3.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
2 Replies

Avatar

Correct answer by
Level 2
Level 2
8/6/19 10:10:31 PM

The third-party links with target="_blank" attribute and no rel="noopener noreferrer" attribute allows linked page partial access to the linking page window object. object of the original page to the linked page via window.opener object.This can be exploited for phishing attacks if the linked page is malicious.

So in your case If this is coming from RTE only then you need to place this as an authoring guildeline, But however , if this is coming from a hyperlink or CTA component then you should handle this programmatically, you can write an utility which identifies whether an link is external or not and based on that plance rel="noopener noreferrer" with the anchor tag.

Views

3.7K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
AEM 6.5.21 link invalid Solved

Views

71

Likes

0

Replies

2
trying to get certified in AEM development: any tips/reading material/links you can share? Solved

Views

161

Likes

0

Replies

4
Import third party dependency Solved

Views

257

Likes

0

Replies

6
Remove deep linking from URL for carousel component (v1) Solved

Views

134

Likes

0

Replies

2
AEM Users: Which Third-Party Tool Do You Prefer - Veracode, Snyk, or Others ? Solved

Views

130

Likes

0

Replies

4