Skip to content

Unsafe Use of Target blank in QUASAR CDN content. #15990 #17829

New issue
New issue
Open
Open
Unsafe Use of Target blank in QUASAR CDN content. #15990#17829
Labels
Qv2 🔝Quasar v2 issuesbug/1-repro-availableA reproduction is available and needs to be confirmed.flavour/umdkind/bug 🐞mode/spa
@Sai12-34-1

Description

@Sai12-34-1
Sai12-34-1
opened on Feb 13, 2025

What happened?

Unsafe Use of Target blank , In the application, when opening a new page using an HTML element with the "target"
attribute (with any value), or with window.open() within JavaScript, the new page has some access to the original page through the window.opener object. This may allow redirection to a malicious phishing page.

What did you expect to happen?

When invoking an untrusted new window using "var newWindow = window.open()", set "newWindow.opener=null" before setting "newWindow.location" to a potentially untrusted site, such that when the new site is open in the new window, it has no access to its original "opener" attribute.

Reproduction URL

https://jsfiddle.net/rstoenescu/a2cuzods

How to reproduce?

  1. Go to the provided URL.
  2. Open the CDN url of Quasar (https://cdn.jsdelivr.net/npm/quasar@2/dist/quasar.umd.prod.js).
Image

Search for "window.open()" in the file content.

Flavour

UMD

Areas

SPA Mode

Platforms/Browsers

Chrome

Quasar info output



Relevant log output




Additional context


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    Qv2 🔝Quasar v2 issuesbug/1-repro-availableA reproduction is available and needs to be confirmed.flavour/umdkind/bug 🐞mode/spa
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions