One possible fix for this is to add rel="noreferrer" to all "target" links. But reports say this doesn't work in Internet Explorer, so it's not an option for Mahara, which still supports IE11.
-- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1558361 Title: XSS vulnerability due to window.opener (target="_blank" and window.open()) Status in Mahara: Fix Released Status in Mahara 1.10 series: Fix Released Status in Mahara 15.04 series: Fix Released Status in Mahara 15.10 series: Fix Released Bug description: The Catalyst security team has pointed out to us that the practice of opening new browser windows via "target" links or the Javascript window.open() command. The problem is that in these cases, the Javascript and HTML standards require that the newly opened window/tab have access to the original window's "Window" object, via "window.opener". This allows the new window to control the navigation of the original window, and possibly access other DOM objects as well, depending on security policies. The really bad part, though, is that the new window has access to window.opener, and navigation control via it, even if the new window is on a different domain than the original window. And this window.opener object remains there, even if the user goes to a new page or site in the new window, or the old window! This allows for all kinds of cross-site-scripting attacks. So, we need to prevent this behavior in Mahara. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1558361/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
