In an update scheduled to go live with Chrome 88 in January 2021, Google has included tab hijacking protection in their browser. This protects against instances where links open in a new tab using the target=”_blank” attribute and modify the original page to redirect users to malicious sites. This fix implements a solution that has been pushed by security researchers for website owners to implement, but on a global scale for all Chromium-based browser users.
The original solution asked site owners to add a rel=”noopener” or rel=”noreferrer”. However, following the pattern set with changes that are already live for Apple and Mozilla browsers, Chrome will automatically add rel=”noopener” to any newly opened tabs. Additionally, this protection will be added to all other Chromium based browsers, including Microsoft Edge and Brave.
Analyst Notes
With these new proactive changes, web browsers are taking an interesting and welcome step forward towards user security. Binary Defense recommends updating any browsers that have already received this update, along with Chrome when it releases. Threat actors continue to target end users through email and web browser-based attacks. For security-conscious or high-risk users, one mitigation to consider is using the built-in “Windows Sandbox” feature of Windows 10 to safely isolate all email and web browsing so that exploits against browsers do not affect the rest of the computer’s security.
https://www.zdnet.com/article/chrome-to-block-tab-nabbing-attacks/
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview
