CKEditor target blank vulnerability
Issue date: 13-12-2021Affects versions: 14.6
Security Issue ID
SECURITY-78
Affected Product Version(s)
14.6.3 and previous releases.
Severity
medium
Description
People using target='_blank' links usually have no idea about this curious fact:
The linked page gains partial access to the linking page via the window.opener object.
The newly opened tab can then change the window.opener.location to some phishing page. Users trust the page that is already opened, they won't get suspicious.
Example attack scenario
- Create a fake "viral" page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank).
- Create a "phishing" website at https://fakewebsite/facebook.com/page.html for example
- Put this code into your "viral" page
window.opener.location = 'https://fakewebsite/facebook.com/page.html';
which redirects the Facebook tab to your phishing page, asking the user to re-enter their Facebook password.
The issue has been mitigated by a new rule in our serverside HTML-Cleaner named secureTargetBlankLinks, which is enabled by default. It will add attribute rel="noopener noreferrer" to all external links to prevent the aformentioned behavior. For more information, see https://web.dev/external-anchors-use-rel-noopener/
Instructions
Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.