The target=_blank security issue
There’s a little-known security risk built into the design of HTML. It concerns links that open in a new tab or window. You make it happen by specifying target="blank"
in an anchor (a) element. For example:
<a href="something.example.com" target="_blank">
The trouble is that when you do it, you put the page containing that link at risk. For some bizarre reason, the designers of HTML decided that the destination page should gain access to the window.opener
property of the source page. This gives the target page — the one run by someone else considerable control over your page. For instance, it can redirect your page to another URL.
(more…)