Doppler: We Were Vulnerable

How specifying target="_blank" in an anchor tag created a gnarly vulnerability.
Feb 21, 2021

Did you know: specifying target="_blank" in an anchor tag () creates a gnarly vulnerability? A recent code review found that we were susceptible to this issue. We've since remediated the vulnerability on our site, and would like to raise awareness of it for our customers.

This vulnerability, which affects all major browsers, allows the newly opened page full read/write access to the parent page's window.location object.

For example, if contains the html Click me!, then clicking the link will open in a new tab. This is expected. What's unexpected is that any JavaScript running on now has full access to modify the location of the still-open tab. This would allow to redirect the Doppler tab to, or the (theoretical) sophisticated phishing site

If this all sounds theoretical, check out this excellent demo of the vulnerability. Fortunately, the fix is as simple as adding rel="noopener" to the anchor tag.

Vulnerable link:

Click me!

Non-vulnerable link:

Click me!

Security is a constant focus at Doppler, and we will continue to do everything we can to earn, and keep, your trust.