Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Unsafe third-party link (target="_blank")

varuns46785756
Level 5
Level 5

Hi All,

I am doing the scanning of my application(I am using AEM6.4) on IBM AppScan tool and found issue for "target="-blank" is unsafe. I am using newtab ( target="_blank") while authoring the URL in text content in RTE. And as per the tool recommendation the fix is :- Add the attribute rel = "noopener noreferrer" to each link element with target="_blank".

My doubt is do I need to add this fix with all of my target="_blank" on my AEM pages because I never used it. Please suggest

Regards,

1 Accepted Solution
PriyankaBiswal
Correct answer by
Level 2
Level 2

The third-party links with target="_blank" attribute and no rel="noopener noreferrer" attribute allows linked page partial access to the linking page window object. object of the original page to the linked page via window.opener object.This can be exploited for phishing attacks if the linked page is malicious.

So in your case If this is coming from RTE only then you need to place this as an authoring guildeline, But however , if this is coming from a hyperlink or CTA component then you should handle this programmatically, you can write an utility which identifies whether an link is external or not and based on that plance rel="noopener noreferrer" with the anchor tag.

View solution in original post

2 Replies
PriyankaBiswal
Correct answer by
Level 2
Level 2

The third-party links with target="_blank" attribute and no rel="noopener noreferrer" attribute allows linked page partial access to the linking page window object. object of the original page to the linked page via window.opener object.This can be exploited for phishing attacks if the linked page is malicious.

So in your case If this is coming from RTE only then you need to place this as an authoring guildeline, But however , if this is coming from a hyperlink or CTA component then you should handle this programmatically, you can write an utility which identifies whether an link is external or not and based on that plance rel="noopener noreferrer" with the anchor tag.