[
https://issues.apache.org/jira/browse/AMBARI-24628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated AMBARI-24628:
------------------------------------
Labels: pull-request-available (was: )
> Fix possible "Phishing by Navigating Browser Tabs" vulnerability
> ----------------------------------------------------------------
>
> Key: AMBARI-24628
> URL: https://issues.apache.org/jira/browse/AMBARI-24628
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: trunk, 2.6.2
> Reporter: amarnath reddy pappu
> Assignee: Aleksandr Kovalenko
> Priority: Major
> Labels: pull-request-available
> Fix For: 2.7.2
>
>
> According to details found at
> https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/phishing-by-navigating-browser-tabs/,
> it is possible to change the "window.opener.location" value in browser
> windows opened using normal anchor tags where the "target" attribute is
> specified as "_blank".
> This gives an attacker the ability to change the parent location and thus
> potentially allow for a phishing attack to invoked.
> To help this situation, it is suggested that the following attribute be set
> along with the "target" attribute:
> {noformat}
> rel="noopener noreferrer"
> {noformat}
> For example:
> {noformat}
> <a href="..." target="_blank" rel="noopener noreferrer">...</a>
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
