Share one-off secrets securely with expiring links.

We Were Vulnerable

Opening a link in a new tab can allow an attacker to take control of the previous tab?

Did you know: specifying target="_blank" in an anchor tag (<a></a>) creates a gnarly vulnerability? A recent code review found that we were susceptible to this issue. We've since remediated the vulnerability on our site, and would like to raise awareness of it for our customers.

This vulnerability, which affects all major browsers, allows the newly opened page full read/write access to the parent page's window.location object.

For example, if contains the html <a target="_blank" href="">Click me!</a>, then clicking the link will open in a new tab. This is expected. What's unexpected is that any JavaScript running on now has full access to modify the location of the still-open tab. This would allow to redirect the Doppler tab to, or the (theoretical) sophisticated phishing site

If this all sounds theoretical, check out this excellent demo of the vulnerability. Fortunately, the fix is as simple as adding rel="noopener" to the anchor tag.

Vulnerable link:

<a target="_blank" href="">Click me!</a>

Non-vulnerable link:

<a target="_blank" rel="noopener" href="">Click me!</a>

Security is a constant focus at Doppler, and we will continue to do everything we can to earn, and keep, your trust.

More Articles

Achieving SOC 2 Compliance
Developers and organizations trust Doppler with securely managing and serving millions of secrets to their applications and we’re excited to announce that Doppler has achieved SOC 2 Compliance.
Using Environment Variables in Node.js for App Configuration and Secrets
Learn why experienced Node.js developers use environment variables for application config and secrets, including how to manage default values and typecasting.
Using Environment Variables in Python for App Configuration and Secrets
Learn how experienced developers use environment variables in Python, including managing default values and typecasting.