Expand my Community achievements bar.

SOLVED

Unsafe third-party link (target="_blank")

Avatar

Level 5

Hi All,

I am doing the scanning of my application(I am using AEM6.4) on IBM AppScan tool and found issue for "target="-blank" is unsafe. I am using newtab ( target="_blank") while authoring the URL in text content in RTE. And as per the tool recommendation the fix is :- Add the attribute rel = "noopener noreferrer" to each link element with target="_blank".

My doubt is do I need to add this fix with all of my target="_blank" on my AEM pages because I never used it. Please suggest

Regards,

1 Accepted Solution

Avatar

Correct answer by
Level 2

The third-party links with target="_blank" attribute and no rel="noopener noreferrer" attribute allows linked page partial access to the linking page window object. object of the original page to the linked page via window.opener object.This can be exploited for phishing attacks if the linked page is malicious.

So in your case If this is coming from RTE only then you need to place this as an authoring guildeline, But however , if this is coming from a hyperlink or CTA component then you should handle this programmatically, you can write an utility which identifies whether an link is external or not and based on that plance rel="noopener noreferrer" with the anchor tag.

View solution in original post

2 Replies

Avatar

Correct answer by
Level 2

The third-party links with target="_blank" attribute and no rel="noopener noreferrer" attribute allows linked page partial access to the linking page window object. object of the original page to the linked page via window.opener object.This can be exploited for phishing attacks if the linked page is malicious.

So in your case If this is coming from RTE only then you need to place this as an authoring guildeline, But however , if this is coming from a hyperlink or CTA component then you should handle this programmatically, you can write an utility which identifies whether an link is external or not and based on that plance rel="noopener noreferrer" with the anchor tag.