So my husband brought this up to me, and, while I doubt my piddly little website is cannon fodder for full-scale phishing warfare, it never hurts to protect yourself.
The hubby explained in great detail, using the maximum amount of allowable technical jargon (which, if you want to read the entire thing, here it is)
But for the TLDR crowd, here’s the basic layman’s version:
If you have a link in your post – or anywhere else for that matter – which opens a new tab using the html code target=”_blank” and you don’t follow it up with rel=”noopener” , your pages may be vulnerable to a certain type of phishing attack. When a new tab opens with target=”_blank” there is a crafty little loophole that hackers can slip through with a window.opener app that gives them access to:
the ORIGINAL tab in the browser
I.E. the one the reader clicked in the first place.
From there, they can spoof your page to try and get information like usernames and passwords, or view the browsing history of the parent tab. And probably a bunch of other things I didn’t understand at all.
WordPress DOES NOT use rel=”noopener” when you press the handy LINK button and select ‘Open In New Window.’
I looked through all my posts’ HTML code to check.
Nope. Not there.
In case you can’t guess, this is bad. And you don’t want it to happen.
So, I guess, until WordPress jumps on the bandwagon and fixes the issue, I’ll be doing all my own HTML.
* You don’t have to believe me, or my hubby (who writes software for self-driving cars for a living. Let’s just say, he knows a thing or two about computers.) If you want to see for yourself, just google target=_blank vulnerability and trust in the internet tech nerds.
Here ends this Public Service Announcement.