XSS in Open Redirect which uses attribute rel=”noopener follow” target=”_blank Via Browser Modern

Aidil Arief
2 min readJul 28, 2022

--

Hi everyone

This time I will write a little XSS solution in Open Redirect that uses the attribute rel=”noopener follow” target=”_blank.

Here’s the code snippet:

<a class=”test” title=”test” href=”javascript:alert()rel=”noopener follow” target=”_blank”>CLICK</a>

Source :

From the code snippet above, I tried to open it through several Modern Browsers:

  1. Google Chrome

In Chrome when you open JavaScript Protocol which has attribute rel=”noopener follow” target=”_blank then it doesn’t work, and you will be taken to page about:blank#blocked. See pop up doesn’t appear.

2. Microsoft Edge

It’s the same on Edge too. When you open the JavaScript Protocol which has the attribute rel=”noopener follow” target=”_blank then it doesn’t work, and you will be taken to a page about:blank#blocked. See the pop up doesn’t appear.

3. Opera

I also get the same result in Opera, where the javascript protocol is equipped with rel=”noopener follow” target=”_blank attribute then it doesn’t work, and you will be taken to a page about:blank#blocked. See the pop up doesn’t appear.

Then how to take advantage of this so that it can be triggered in Modern Browsers?

This time I’m using Firefox version ( 103.0 ).

4. Firefox

Surprisingly, the JavaScript Protocol with rel=”noopener follow” target=”_blank attribute was escaped in Firefox version ( 103.0 ). And a pop up appeared.

I think it only works in IE & Safari Browser, and when I report a case similar to this I use IE Browser. Then Severity drops to LOW, and that’s very sad. Now I can use this in new versions of Firefox and Modern browsers.

I am writing this only for future reference regarding the findings of the same case.

Keep hunting & Hopefully useful.

--

--