
2021 update: Browsers now implicitly set rel=noopener
for any target=_blank
link
We all love the target=”_blank” code, which makes links open in a new window. The problem is that once the new window (window.opener) is opened, the new page can have access to the original window, allowing a spoofed URL or redirect.
Scary, right? Someone can post a link on your forum or in the comments of your blog and go to town. In the meantime, be careful of your clicks.
Try the example here to see it in action: https://mathiasbynens.github.io/rel-noopener