Security Issue: "_blank" rel="noopener noreferrer" | Flatsome Features

Security Issue: "_blank" rel="noopener noreferrer"

complete

hope semper

Recently in the update 4.7.4 wordpress added an option to the target="_blank" because a vulnerability in their editor tinymc adding rel="noopener noreferrer" by default when _blank was selected
https://github.com/tinymce/tinymce/issues/3177
https://www.tinymce.com/docs/changelog/#version450-november232016
https://dev.to/ben/the-targetblank-vulnerability-by-example
anyone can hack your system with the window.opener vulnerability
as far we use ux-builder and not tinymce was good to change by default

UX Themes

Thanks, great post!

hope semper

UX Themes: Thanks :-) ..... I hope that even is marked as complete they fix it

UX Themes

hope semper: I'm pretty sure when Tommy labels as "complete", it's implemented/fixed for the next version.

Tommy Jacobs Vedvik

marked this post as

complete

Invalid Date

Tommy Jacobs Vedvik

Thanks for the heads up :) This is more related to WordPress. UX Builder uses the default WordPress tinymce editor.

hope semper

Tommy Jacobs Vedvik: Hi, I don't think so... if I use a New Window for any link ux-builder don't add noopener... but if I use the regular editor wordpress add that option... so, the vulnerability is still there :-( ... for any link to new windows with flatsome ux-builder

hope semper

Tommy Jacobs Vedvik: I don't mean with the text-editor option of ux-builder... I mean with the new-window option of buttons, etc,...

Tommy Jacobs Vedvik

hope semper: Ah, now I understand. We'll add rel="noopener noreferrer" to target="_blank" links

hope semper

Tommy Jacobs Vedvik: Thanks :-)

hope semper

the vulnerability has the name: reverse tabnabbing
btw someone want to learn more about
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever
https://mathiasbynens.github.io/rel-noopener/