What is reverse tabnabbing?

When a page opened in a new tab uses window.opener to redirect the original tab to a phishing site. The user switches back expecting their original page and sees a malicious copy.

noopener vs noreferrer?

noopener prevents the new tab from accessing window.opener. noreferrer also blocks the Referer header. Use both for full protection unless you specifically need referrer tracking.

Are modern browsers safe by default?

Mostly. Chrome, Firefox and Safari treat target="_blank" links as if noopener were set. But legacy / non-default browsers may not, and explicit rel="noopener" is best practice.

Does rel="noopener" affect SEO?

No. noopener is a security attribute, not a follow attribute. The link still passes ranking signal exactly as it would without it.

Can I add noopener globally?

Yes. Most CMS platforms and frameworks have plugins / settings that auto-add noopener to every external target="_blank" link. Audit your stack and enable it where available.

Unsafe Cross-Origin Links Test

The Unsafe Cross-Origin Links Test scans every <a target="_blank"> link on any page and reports which are missing the rel="noopener" (and ideally rel="noreferrer") attributes. Without noopener, the new tab gets a window.opener reference back to your page, which lets the destination page navigate your tab to a phishing site (reverse tabnabbing) and shares a JavaScript event loop that can hurt performance. Modern browsers default to noopener for new target="_blank" links but legacy markup still needs the explicit attribute.

What This Tool Checks

Every <a target="_blank"> on the page
rel="noopener" attribute presence
rel="noreferrer" attribute presence
Cross-origin destinations (where the risk is highest)
Performance impact of shared event loops

Why It Matters for SEO

Reverse tabnabbing is a real attack: a malicious destination page calls window.opener.location = "https://phishing-site" to swap your original tab for a phishing copy while the user is reading the new tab. Adding rel="noopener" to every target="_blank" link prevents the reference and closes the vulnerability. It also gives a small performance win because the two pages no longer share a process / event loop.

How to Fix It

Add rel="noopener noreferrer" to every <a target="_blank"> link. Update CMS templates so the attribute is preserved on save. For programmatic opens, use window.open(url, "_blank", "noopener"). Modern frameworks (React, Vue, Next.js) increasingly add noopener automatically.

How It Works

We walk every <a> in the DOM, identify those with target="_blank" or equivalent JS open behaviour, and check each for rel="noopener". Cross-origin destinations are flagged separately because the security risk is highest there.

Common Mistakes to Avoid

External links opened in new tabs without rel="noopener"
CMS templates that strip rel attributes on save
JavaScript window.open() without noopener feature
Treating modern browser defaults as sufficient (legacy markup still needs the attribute)
rel="noreferrer" alone (also blocks Referer header, which may not be desired)

Quick Checklist

Every target="_blank" link has rel="noopener"
Cross-origin links also have rel="noreferrer" if appropriate
CMS templates preserve rel attributes
window.open() calls include "noopener" feature
Re-tested after CMS upgrades that may strip attributes

Unsafe Cross-Origin Links Test

What This Tool Checks

Why It Matters for SEO

How to Fix It

How It Works

Common Mistakes to Avoid

Quick Checklist

Frequently Asked Questions

Related Free Tools

About PositionMySite

Services

Let's Connect