CKEditor target blank vulnerability 

Issue date: 13-12-2021
Affects versions: 14.6

Security Issue ID

SECURITY-78

 

Affected Product Version(s)

14.6.3 and previous releases.


Severity 

medium

 

Description

People using target='_blank' links usually have no idea about this curious fact:

The linked page gains partial access to the linking page via the window.opener object.

The newly opened tab can then change the window.opener.location to some phishing page. Users trust the page that is already opened, they won't get suspicious.

Example attack scenario

  • Create a fake "viral" page with cute cat pictures, jokes or whatever, get it shared on Facebook (which is known for opening links via _blank).
  • Create a "phishing" website at https://fakewebsite/facebook.com/page.html for example
  • Put this code into your "viral" page
    window.opener.location = 'https://fakewebsite/facebook.com/page.html';
    which redirects the Facebook tab to your phishing page, asking the user to re-enter their Facebook password.

 

The issue has been mitigated by a new rule in our serverside HTML-Cleaner named secureTargetBlankLinks, which is enabled by default. It will add attribute rel="noopener noreferrer" to all external links to prevent the aformentioned behavior. For more information, see https://web.dev/external-anchors-use-rel-noopener/

 

Instructions

Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.