ANSSI Reco-WebSec §6
Sécuriser les liens cross-origin (rel=noopener)
UnveilScan findings mapped to this control
The scanner emits 1 distinct finding on this control. Click "Scan a domain" below to see which of them currently apply to your site, with copy-paste remediation snippets (nginx, Apache, DNS BIND, web-server config).
web.reverse_tabnabbing
⏱ 30 min
WEB — Reverse tabnabbing
Risk if ignored: Phishing vector: a clicked external link can silently rewrite the original tab's location via window.opener while the user is reading the new tab. Modern browsers imply noopener since 2020, but older mobile WebViews and embedded browsers do not. Templating frameworks usually have a one-line config to enforce this.
security reputational