Issue Summary

Measures against Reverse Tabnabbing. To open a HTML link with href in a new browser tab often the attribute “target=”_blank” is used. Web pages opened this way (using this attribute) however have restricted access towards the calling page and can bypass the “Same-Origin-Policy”. Using the DOM element “window.opener.location” it is possible to route (to forward) the previous web page to a foreign domain. This (reverse tabnabbing) attack thus allows phishing attacks: an attacker forwards it’s victim – in the background – to another identically looking page trying the get the login credentials, for example. And all other pages the user is visiting in this newly opened tab have access to this DOM element and thus can overwrite the original page in the background. As a result this problem occurs for all page links (internal as well as external) and is especially troublesome when linking non-trustworthy web pages. To avoid such attacks the access onto the DOM element “window” of the own web page must be prevented.

Modern browsers already implement a mitigation for reverse tabnabbing and nullify the target _blank. However, security scanners keep flagging Bamboo as vulnerable, requiring action from sysadmins or exception in security scans. Plus this would also add some uniformity in Atlassian suite, once Jira and Confluence implement it.