CWE-1022: Use of Web Link to Untrusted Target with window.opener Access

VariantIncompleteExploit Likelihood: Medium

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.

View on MITRE
Back to CWE Lookup

Extended Description

When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.

Technical Details

Structure
Simple

Applicable To

Languages
JavaScript
Platforms

Frequently Asked Questions

What is CWE-1022: Use of Web Link to Untrusted Target with window.opener Access?+

CWE-1022: Use of Web Link to Untrusted Target with window.opener Access is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. When a user clicks a link to an external site ("target"), the target="_blank" attribute causes the target site's contents to be opened in a new window or tab, which runs in the same process as the original page. The window.opener object records information about the original page that offered the link. If an attacker can run script on the target page, then they could read or modify certain properties of the window.opener object, including the location property - even if the original and target site are not the same origin. An attacker can modify the location property to automatically redirect the user to a malicious site, e.g. as part of a phishing attack. Since this redirect happens in the original window/tab - which is not necessarily visible, since the browser is focusing the display on the new target page - the user might not notice any suspicious redirection.

What are the security consequences of Use of Web Link to Untrusted Target with window.opener Access?+

If exploited, CWE-1022 (Use of Web Link to Untrusted Target with window.opener Access) it can compromise Confidentiality, leading to outcomes such as Alter Execution Logic.

How do you prevent or mitigate Use of Web Link to Untrusted Target with window.opener Access?+

Recommended mitigations for CWE-1022 include: Specify in the design that any linked external document must not be granted access to the location object of the calling page. When creating a link to an external document using the <a> tag with a defined target, for example "_blank" or a named frame, provide the rel attribute with a value "noopener noreferrer". If opening the external document in a new window via javascript, then reset the opener by setting it equal to null. Do not use "_blank" targets. However, this can affect the usability of the application.

Which programming languages are affected by Use of Web Link to Untrusted Target with window.opener Access?+

CWE-1022 commonly affects JavaScript. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Use of Web Link to Untrusted Target with window.opener Access?+

MITRE documents real CVEs mapped to CWE-1022, including CVE-2022-4927. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-1022 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More