Find unsafe target blank links on your site

SiteCurl scans every external link on your pages that uses target="_blank" and checks for the rel="noopener" or rel="noreferrer" attribute. Links missing these attributes are flagged because they allow the opened page to access your page through the browser's window.opener object.

The check only flags external links. Internal links that open in a new tab are not a risk because they go to pages you control. SiteCurl reports the number of unsafe links and lists the specific URLs so you know exactly which links to fix.

On a full scan of 50 pages, SiteCurl can check hundreds of external links. Each unsafe link is a potential phishing vector, and the fix is a single attribute added to the HTML tag.

When a link uses target="_blank", the browser opens a new tab. But it also gives the new tab a reference back to the original page through window.opener. The code on the new page can use window.opener.location to redirect your original tab to any URL.

Here is how the attack works. A visitor clicks an external link on your site. The link opens in a new tab. Meanwhile, the opened page runs a script that redirects the original tab (your site) to a fake login page that looks identical to yours. The visitor finishes reading the external page, switches back to the original tab, and sees what appears to be your login page asking them to sign in again. They enter their password. It goes to the attacker.

This attack is called reverse tabnabbing. It works because people trust the tab they left behind. They assume it is still showing your site. The attacker counts on the visitor not noticing the URL change in the address bar.

Adding rel="noopener" breaks the window.opener reference entirely. The new tab has no way to reach back to the original page. The fix is one attribute, and it has no effect on the user experience. The link still opens in a new tab. The only difference is that the new tab cannot manipulate the original one.

Reverse tabnabbing is a real attack used in phishing campaigns. It targets sites that link to external resources, which includes virtually every site with a blog, resource page, or partner links.

The risk is highest for sites with logged-in users. If a visitor is logged into your site and the original tab gets redirected to a fake login page, they may re-enter their credentials without questioning it. The attacker gets their password and can access their account.

Modern browsers have started treating target="_blank" links as if rel="noopener" is set by default. But older browsers do not. Adding the attribute explicitly protects visitors on all browsers and costs nothing to implement.

Content sites and blogs link to external sources frequently. Every outbound link with target="_blank" and no rel="noopener" is a potential phishing vector. A blog with 100 posts may have hundreds of unsafe external links.

SaaS products with documentation pages, help centers, or resource libraries often link to third-party tools and guides. Each link is an entry point for reverse tabnabbing if it lacks the proper attribute.

E-commerce sites that link to manufacturer sites, review platforms, or partner pages face the same risk. The external site may not be malicious today, but if it gets compromised in the future, the missing attribute gives it access to redirect your page.

Step 1: Add rel='noopener' to all external target='_blank' links. Find every link that opens in a new tab and add rel="noopener" to the anchor tag. Example: <a href="https://example.com" target="_blank" rel="noopener">Link</a>. This single attribute blocks the window.opener reference.

Step 2: Search your templates and components. If your site uses templates or reusable components for links, fix the template once instead of fixing individual links. In WordPress, check your theme's link template. In React or Vue, check your link component.

Step 3: Check your CMS editor output. Some CMS editors add target="_blank" without rel="noopener" when you set a link to open in a new tab. Test the HTML output of your editor after adding a link. If it is missing the attribute, look for a plugin or setting that adds it automatically.

Step 4: Consider using rel='noopener noreferrer'. Adding noreferrer also prevents the opened page from seeing which page the visitor came from. This provides additional privacy. Use both unless you need referrer data for analytics on the target site.

Mistake 1. Only fixing visible links. Links in footers, sidebars, and embedded widgets also use target="_blank". Check the full HTML of each page, not just the main content area.

Mistake 2. Using rel='noreferrer' alone. While noreferrer implies noopener in most browsers, setting noopener explicitly ensures compatibility with older browsers that may not make that connection.

Mistake 3. Forgetting dynamically generated links. If your site generates links with JavaScript (dynamic menus, search results, comment sections), those links also need rel="noopener". Check the rendered HTML, not just the source templates.

After making changes, run another SiteCurl scan. The count of unsafe target blank links should drop to zero. You can also verify manually: right-click an external link on your page, select 'Inspect,' and check that the anchor tag includes rel="noopener".

To check the entire page at once, open your browser console (F12) and run: document.querySelectorAll('a[target="_blank"]:not([rel*="noopener"])'). This returns all links that still need the fix.

Unsafe target blank links let external pages redirect your site to phishing pages. The fix is a single HTML attribute on each external link. Add rel="noopener" to every link with target="_blank" and run a scan to confirm they are all covered.