WordPress is adding both ‘noopener and noreferrer’ tags to external AND internal links opening in a new tab. Essentially anything that opens in a new window or tab (target_blank) on your WordPress site.
We noticed this earlier today after updating an article then viewing it’s source.
If you set a link to open in a new tab, WordPress will now, apart from adding the target=”_blank” tag. WordPress also adds the rel=”noopener noreferrer” tag automatically.
Not only that if you open any old post and save it, the tag will get added automatically. This has probably been done to avoid what is known as Reverse Tabnabbing.
Website owners should help to prevent such attacks and exploiting of the vulnerability. WordPress has taken this step to protect users.
Reverse Tabnabbing occurs the attacker uses window.opener.location.assign() to replace the background tab with a malicious document.
When you add noopener keyword, the new/other page cannot access your window object via window.opener
The noreferrer keyword tells the browser to not collect HTTP referrer information when the link is followed.
Firefox does not support noopener so you have to use rel=”noopener noreferrer”.
Reverse Tabnabbing can occur when we click on a link on a web page to open a new tab. That page opens in a new tab or window. If we come back to the main web page, behind our back, that page has changed to a different url. Most users may not notice the URL change.
When we come back to the original page we may be asked to log in again to our account. Attackers replace the original tab with a malicious document including the favicon. We usually don’t notice this url change. We enter our login details and we are hacked.
Were not sure how this change will effect our sites SEO. This url meta change was done to WordPress 4.7.4 as far as we know. When we find additional details we will update this article. We appreciate visitors to add their comments below.
Retired Used Car Dealer (trust-me) and ASE Cert Mechanic with over 40 years experience. I'm also a Hobbyist DOS days Fidonet Bulletin Board System Operator (BBS SysOp) turned net guru. Just hanging out in cyberspace keeping up with tech!
Search This Blog
Select Your Language
We are using cookies to give you the best experience on our website.
You can find out more about which cookies we are using or switch them off in settings.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.