External links use noopener noreferrer
Why it matters
An external link opened with target='_blank' without rel='noopener' gives the opened page access to window.opener — a reference back to your tab's window object. A malicious destination site (or one compromised via XSS) can call window.opener.location = 'https://phishing-site.com' to silently redirect your tab to a phishing page while the user is reading the opened content. CWE-1021 (Improper Restriction of Rendered UI Layers) applies directly. OWASP A05 lists missing noopener as a common misconfiguration. Modern browsers now default to noopener, but explicit attributes are required for backward compatibility and code-review clarity.
Severity rationale
Low because modern browsers default `target='_blank'` to noopener behavior, but explicit `rel='noopener noreferrer'` is required for older browser compatibility and eliminates referrer leakage to external domains.
Remediation
Add rel='noopener noreferrer' to every <a target='_blank'> pointing to an external domain. The noreferrer attribute also prevents sending your page URL as the HTTP Referer to the destination.
// All external links opening in new tabs
<a
href="https://example.com"
target="_blank"
rel="noopener noreferrer"
>
External Link
</a>
In Next.js, the <Link> component automatically adds rel='noopener' for external links with target='_blank' in recent versions — but noreferrer must still be added manually if you want to suppress Referer headers.
Detection
-
ID:
noopener-external-links -
Severity:
low -
What to look for: Search all components and page files for external links with
target="_blank". For each, check whetherrel="noopener noreferrer"(or equivalent framework behavior) is present. In Next.js, the<Link>component automatically addsrel="noopener"for external links withtarget="_blank". Count all external links withtarget="_blank". -
Pass criteria: 100% of external links with
target="_blank"haverel="noopener noreferrer"or equivalent framework-provided behavior. Report: "X of Y external links have noopener." -
Fail criteria: Any external link with
target="_blank"lacksrel="noopener"or equivalent. -
Skip (N/A) when: No external links with
target="_blank"found in any component. -
Detail on fail:
"X of Y external links with target='_blank' lack rel='noopener noreferrer'"or"External link in Footer component missing noopener — target page can access window.opener" -
Remediation: Without
noopener, the opened page can accesswindow.openerand navigate your page to a phishing URL. Addrel="noopener noreferrer"to all external links:<a href="https://example.com" target="_blank" rel="noopener noreferrer"> External Link </a>Modern browsers default to
noopenerbehavior, but explicit is better for compatibility and clarity.
External references
- cwe · CWE-1021
- owasp:2021 · A05
Taxons
History
- 2026-04-18·v1.0.0·Initial import from security-headers-ii·automated