The hidden danger in target='_blank'

Now I know why I often see rel="noopener" inside <a> tags. But it turns out rel="noopener" is not enough! We really need this:

<a href="https://somesite.com/" target="_blank" rel="noopener noreferrer">

Read more here.

tl;dr — The page that is opened in a new tab or window can change the window.opener.location property so that a user who goes back to your page will fall into phishing-scam hell!

I’ve seen this happen from those annoying cover-all pop-up adds on mobile, and I’ve learned the only way out is to close the original window or page. Now I know why.