Fix window.opener vulnerability

author: Bernhard Posselt <dev@bernhard-posselt.com> 2016-05-10 17:34:00 +0200
committer: Bernhard Posselt <dev@bernhard-posselt.com> 2016-05-10 17:34:00 +0200
commit: 9a3c1c71824723d4b369df9b412fd0a7d6f08ac5 (patch)
tree: 1af699d10e0e679129fee2f84d01f5d88fe46dad /js
parent: 1bc7a4907ac3f15f57a5076b4c74b887da0af204 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/js/gui/KeyboardShortcuts.js b/js/gui/KeyboardShortcuts.js
index c90f3bc70..9e32a15b3 100644
--- a/js/gui/KeyboardShortcuts.js
+++ b/js/gui/KeyboardShortcuts.js
@@ -263,7 +263,9 @@
     var openLink = function (scrollArea) {
         onActiveItem(scrollArea, function (item) {
             item.trigger('click');  // mark read
-            window.open(item.find('.external:visible').attr('href'), '_blank');
+            var url = item.find('.external:visible').attr('href');
+            var newWindow = window.open(url, '_blank');
+            newWindow.opener = null;
         });
     };
author	Bernhard Posselt <dev@bernhard-posselt.com>	2016-05-10 17:34:00 +0200
committer	Bernhard Posselt <dev@bernhard-posselt.com>	2016-05-10 17:34:00 +0200
commit	9a3c1c71824723d4b369df9b412fd0a7d6f08ac5 (patch)
tree	1af699d10e0e679129fee2f84d01f5d88fe46dad /js
parent	1bc7a4907ac3f15f57a5076b4c74b887da0af204 (diff)