What is Tabnabbing?
Setting the target attribute of an anchor tag to _blank is quite common when you want to open a link in a new browser tab. What is not commonly understood is that this can lead to a vulnerability known as tabnabbing.
When a page is opened via target="_blank", the newly opened page gains partial access to the originating page through the window.opener object. A malicious site can exploit this to silently redirect your original tab to a fake login page — and users, switching back to that tab, often don't notice and hand over their credentials.
The Fix is Simple
You can easily avoid this vulnerability by adding a rel attribute to the anchor tag and setting it to "noopener noreferrer".
So next time you write code like this:
<a href="https://example.com" target="_blank">Example</a>Take an extra moment and add the rel attribute:
<a href="https://example.com" target="_blank" rel="noopener noreferrer">Example</a>What do these values do?
- noopener — prevents the new page from accessing
window.opener, cutting off the attack vector entirely. - noreferrer — additionally hides the referrer header, so the destination site doesn't know which page sent the user there.
Modern browsers have started defaulting to noopener behaviour for target="_blank" links, but not all versions and not all browsers do. Being explicit costs nothing and protects everyone.
Hungry for more security tips and engineering insights? Join our newsletter — new content delivered every week. Sign up below 👇