Major flaw in how the specification for window.opener() works resulting in a major phishing vulnerability that is cake to pull off.
The right solution isn’t considered because it would break compatibility with the few number sites that depend upon the broken specification even though it would be simple for those sites to implement a secure method.
So instead the entire web is left with an extremely poor default and a crappy solution that won’t be implemented by a large number of sites.
And that’s why the Internet will remain a playground for con artists for years to come.
I’ve lost faith in the W3C. It’s useless, time for a fork and a new standards body. Seriously.
BTW – the fix that W3C does endorse, the rel=”noopener” attribute, if that’s the best the W3C is willing to do, Red Hat better make sure it makes it into the ESR version of FireFox they ship or it will be vulnerable for some time.
The broken fix the W3C endorses isn’t even set to make it into standard FireFox until FireFox 52. Which is odd because it is a serious security vulnerability. I’m worried it won’t make it into ESR FireFox for some time. ESR often lags on features.