[ https://issues.apache.org/jira/browse/AMBARI-24628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16626374#comment-16626374 ]
Hudson commented on AMBARI-24628: --------------------------------- SUCCESS: Integrated in Jenkins build Ambari-logsearch-ga-test #2 (See [https://builds.apache.org/job/Ambari-logsearch-ga-test/2/]) AMBARI-24628. Fix possible "Phishing by Navigating Browser Tabs" (aleksandrkovalenko: [https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=8c9b50cdd4e091312277067bf4c142deb23c8f16]) * (edit) ambari-web/app/templates/common/host_progress_popup.hbs * (edit) ambari-web/app/templates/main/alerts/definition_details.hbs * (edit) ambari-web/app/templates/main/dashboard/widgets/hdfs_links.hbs * (edit) ambari-web/app/templates/main/dashboard/widgets/yarn_links.hbs * (edit) ambari-web/app/messages.js * (edit) ambari-web/app/templates/main/dashboard/widgets/hbase_links.hbs * (edit) ambari-web/app/templates/main/host/logs.hbs * (edit) ambari-web/app/templates/common/modal_popups/log_tail_popup.hbs * (edit) ambari-web/app/templates/main/service/info/summary.hbs AMBARI-24628. Fix possible "Phishing by Navigating Browser Tabs" (aleksandrkovalenko: [https://gitbox.apache.org/repos/asf?p=ambari.git&a=commit&h=e3c3e34b317009d39a1e795c1c5c01767e69bbfb]) * (edit) ambari-web/app/templates/main/dashboard/widgets/hdfs_links.hbs > Fix possible "Phishing by Navigating Browser Tabs" vulnerability > ---------------------------------------------------------------- > > Key: AMBARI-24628 > URL: https://issues.apache.org/jira/browse/AMBARI-24628 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: trunk, 2.6.2 > Reporter: amarnath reddy pappu > Assignee: Aleksandr Kovalenko > Priority: Major > Labels: pull-request-available > Fix For: 2.7.2 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > According to details found at > https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/phishing-by-navigating-browser-tabs/, > it is possible to change the "window.opener.location" value in browser > windows opened using normal anchor tags where the "target" attribute is > specified as "_blank". > This gives an attacker the ability to change the parent location and thus > potentially allow for a phishing attack to invoked. > To help this situation, it is suggested that the following attribute be set > along with the "target" attribute: > {noformat} > rel="noopener noreferrer" > {noformat} > For example: > {noformat} > <a href="..." target="_blank" rel="noopener noreferrer">...</a> > {noformat} -- This message was sent by Atlassian JIRA (v7.6.3#76005)