amarnath reddy pappu created AMBARI-24628:
---------------------------------------------
Summary: Fix possible "Phishing by Navigating Browser Tabs"
vulnerability
Key: AMBARI-24628
URL: https://issues.apache.org/jira/browse/AMBARI-24628
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: trunk, 2.6.2
Reporter: amarnath reddy pappu
According to details found at
https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/phishing-by-navigating-browser-tabs/,
it is possible to change the "window.opener.location" value in browser windows
opened using normal anchor tags where the "target" attribute is specified as
"_blank".
This gives an attacker the ability to change the parent location and thus
potentially allow for a phishing attack to invoked.
To help this situation, it is suggested that the following attribute be set
along with the "target" attribute:
{noformat}
rel="noopener noreferrer"
{noformat}
For example:
{noformat}
<a href="..." target="_blank" rel="noopener noreferrer">...</a>
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
