Now I know why I often see
<a> tags. But it turns out
rel="noopener" is not enough! We really need this:
<a href="https://somesite.com/" target="_blank" rel="noopener noreferrer">
tl;dr — The page that is opened in a new tab or window can change the
window.opener.location property so that a user who goes back to your page will fall into phishing-scam hell!
I’ve seen this happen from those annoying cover-all pop-up adds on mobile, and I’ve learned the only way out is to close the original window or page. Now I know why.