CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
Learn about CWE-1022 (Use of Web Link to Untrusted Target with window.opener Access), its security impact, exploitation methods, and prevention guidelines.
What is Use of Web Link to Untrusted Target with window.opener Access?
• Overview: This vulnerability occurs when a web application creates links to untrusted external sites without preventing these sites from changing the window.opener object's security-critical properties, like the location property.
• Exploitation Methods:
- Attackers can exploit this by running scripts on the target page to modify the window.opener object.
- Common techniques include changing the location property to redirect users to malicious sites, potentially for phishing.
• Security Impact:
- Direct consequences include unauthorized redirection of users to malicious sites.
- Potential cascading effects involve further phishing attacks or data exposure.
- Business impact could include loss of user trust, potential data breaches, and reputational damage.
• Prevention Guidelines:
- Code-level fixes include setting rel="noopener" or rel="noreferrer" on links with target="_blank".
- Security best practices involve validating external links and minimizing reliance on target="_blank".
- Recommended tools and frameworks can include content security policies and security-focused JavaScript libraries.
Corgea can automatically detect and fix Use of Web Link to Untrusted Target with window.opener Access in your codebase. Try Corgea free today.
Technical Details
Likelihood of Exploit:
Affected Languages: JavaScript
Affected Technologies: Web Based
Vulnerable Code Example
JavaScript Example
// This function opens an external link in a new tab without any security attributes.
// The "noopener" attribute is missing, allowing the opened page to access the window.opener object.
function openExternalLink(url) {
const newWindow = window.open(url, '_blank');
// Without "noopener", the new page can potentially change the location of the original page
// through window.opener, leading to security vulnerabilities such as phishing attacks.
}
How to fix Use of Web Link to Untrusted Target with window.opener Access?
To fix this vulnerability, you should prevent the newly opened page from accessing the window.opener object. This can be achieved by using the noopener keyword in the window.open method. The noopener keyword ensures that the window.opener property is set to null, preventing the new page from accessing the original page and potentially changing its location or interacting with it in other harmful ways.
Additionally, using the noreferrer attribute can provide an extra layer of privacy by not sending the Referer header to the new page. This can be done by using the noopener noreferrer combination.
Fixed Code Example
// This function opens an external link in a new tab securely by using "noopener noreferrer".
function openExternalLink(url) {
const newWindow = window.open(url, '_blank', 'noopener,noreferrer');
// The use of "noopener" ensures that the new page cannot access the window.opener object,
// mitigating the risk of the opener page being manipulated by the newly opened page.
// "noreferrer" is used to enhance privacy by not sending the Referer header to the new page.
}
In this fixed version, the use of 'noopener,noreferrer' as the third argument in window.open() ensures that the newly opened window cannot access the opener window's properties, thus mitigating the risk associated with the window.opener vulnerability. This approach not only secures the original page from potential malicious actions but also protects user privacy by not sharing the Referer header.