Find unsafe target blank links on your site

SiteCurl scans each outside link on your pages that uses target="_blank" and checks for the rel="noopener" or rel="noreferrer" attribute. Links missing these attributes are flagged because they allow the opened page to access your page through the browser's window.opener object.

The check only flags outside links. Internal links that open in a new tab are not a risk because they go to pages you control. SiteCurl reports the number of unsafe links and lists the specific URLs so you know exactly which links to fix.

On a full scan of 100 pages, SiteCurl can check hundreds of outside links. Each unsafe link is a likely phishing vector, and the fix is a single attribute added to the HTML tag.

When a link uses target="_blank", the browser opens a new tab. But it also gives the new tab a link back to the original page through window.opener. The code on the new page can use window.opener.location to redirect your original tab to any URL.

Here is how the attack works. A user clicks an outside link on your site. The link opens in a new tab. Meanwhile, the opened page runs a script that redirects the original tab (your site) to a fake login page that looks just like yours. The user reads the new page, goes back to the first tab, and sees what appears to be your login page asking them to sign in again. They enter their password. It goes to the attacker.

This attack is called reverse tabnabbing. It works because people trust the tab they left behind. They assume it is still showing your site. The attacker counts on the user not noticing the URL change in the address bar.

Adding rel="noopener" breaks the window.opener link entirely. The new tab has no way to reach back to the original page. The fix is one attribute, and it has no effect on the user experience. The link still opens in a new tab. The only gap is that the new tab cannot change the original one.

Reverse tabnabbing is a real attack used in phishing campaigns. It targets sites that link to outside resources, which is nearly each site with a blog, help page, or partner links.

The risk is highest for sites with logged-in users. If a user is logged into your site and the original tab gets redirected to a fake login page, they may re-enter their login info without questioning it. The attacker gets their password and can access their account.

Modern browsers have started treating target="_blank" links as if rel="noopener" is set by default. But older browsers do not. Adding the attribute by hand protects users on all browsers and costs nothing to implement.

Content sites and blogs link to outside sources often. Each outbound link with target="_blank" and no rel="noopener" is a likely phishing vector. A blog with 100 posts may have hundreds of unsafe outside links.

SaaS products with docs pages, help centers, or resource libraries often link to third-party tools and guides. Each link is an entry point for reverse tabnabbing if it lacks the proper attribute.

E-commerce sites that link to maker sites, review platforms, or partner pages face the same risk. The outside site may not be bad today, but if it gets hacked in the future, the missing attribute gives it access to redirect your page.

Step 1: Add rel='noopener' to all outside target='_blank' links. Find each link that opens in a new tab and add rel="noopener" to the anchor tag. Example: <a href="https://example.com" target="_blank" rel="noopener">Link</a>. This single attribute blocks the window.opener link.

Step 2: Search your templates and parts. If your site uses templates or reusable parts for links, fix the template once instead of fixing single links. In WordPress, check your theme's link template. In React or Vue, check your link part.

Step 3: Check your CMS editor output. Some CMS editors add target="_blank" without rel="noopener" when you set a link to open in a new tab. Test the HTML output of your editor after adding a link. If it is missing the attribute, look for a plugin or setting that adds it on its own.

Step 4: Consider using rel='noopener noreferrer'. Adding noreferrer also stops the opened page from seeing which page the user came from. This provides more privacy. Use both unless you need referrer data for analytics on the target site.

Mistake 1. Only fixing visible links. Links in footers, sidebars, and embedded widgets also use target="_blank". Check the full HTML of each page, not just the main content area.

Mistake 2. Using rel='noreferrer' alone. While noreferrer implies noopener in most browsers, setting noopener by hand ensures support with older browsers that may not make that link.

Mistake 3. Missing JS-built links. If your site builds links with JavaScript (dynamic menus, search results, comment sections), those links also need rel="noopener". Check the rendered HTML, not just the source templates.

After making changes, run another SiteCurl scan. The count of unsafe target blank links should drop to zero. You can also check manually: right-click an outside link on your page, select 'Inspect,' and check that the anchor tag includes rel="noopener".

To check the entire page at once, open your browser console (F12) and run: document.querySelectorAll('a[target="_blank"]:not([rel*="noopener"])'). This returns all links that still need the fix.

Unsafe target blank links let outside pages redirect your site to phishing pages. The fix is a single HTML attribute on each outside link. Add rel="noopener" to each link with target="_blank" and run a scan to confirm they are all covered.