Did you notice that noopener noreferrer tags are being added to both external AND internal links that are set to open in a new tab (target_blank) in your WordPress blog? I noticed this happening on my blog last night. I disabled WordPress plugins, changed my browser as well as my PC to check if it was something specific adding them. When I found that it was still happening, I decide to search on the Internet and that is when I found that some users were reporting the same issue on WordPress forums.
WordPress adding noopener noreferrer tags to links
If you set a link to open in a new tab, WordPress will now, apart from adding the target=”_blank” tag also add the rel=”noopener noreferrer” tag automatically.
Not only that, if you open any old post and save it, the tag will get added automatically. This has probably been done to avoid what is known as Reverse Tabnabbing. Since the onus is on website owners to prevent such attacks and exploiting of the vulnerability, WordPress has taken this step to protect users.
Reverse Tabnabbing occurs the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.
- When you add noopener keyword, the new/other page cannot access your window object via window.opener
- The noreferrer keyword tells the browser to not collect HTTP referrer information when the link is followed.
- Firefox does not support noopener so you have to use rel=”noopener noreferrer”.
What is Reverse Tabnabbing
Reverse Tabnabbing, a type of Tabnabbing, is a kind of a Phishing attack where the attacker replaces the legitimate and trusted page tab with a malicious document by using window.opener.location.assign().
To put simple, in Reverse Tabnabbing, when we click on a link on a web page to open a new web page, and it opens in a new tab – and if we then come back to the main web page, then behind our backs, that page will have changed automatically. It will look like the original web page which you were viewing but will obviously show a different URL. But most users may not notice the URL change. related tab from a trusted
When we come back to the original page, we may be asked to log in again to our account. The attackers actually replace the original tab with a malicious document including the favicon as well as the address bar, but we usually don’t notice this. We enter our login details and voila, we are hacked.
Check this example to understand the Reverse Tabnabbing better.
So if you see the rel=”noopener noreferrer” to all links which have target=”_blank”, do not remove them, if you value your site. And even if you remove them – WordPress will put them back when you save the post. And there is no way to disable this feature, from what I can gather.
However, some users have reported that it also made all your internal links nofollow if they open in a new tab, which might definitely be bad for your site’s SEO. So check your links and see if all is fine.
UPDATE: Now I am seeing that it inserts only the noopener tag.