From 618db01abc56f93556fada35062faf2d44fe44a0 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Wed, 8 Apr 2026 06:12:26 +0700
Subject: [PATCH] fix(security): global `_blank` link rewriting without
 `noopener`

The script forces all links to open in a new tab by injecting `<base target="_blank">`, but does not enforce `rel="noopener noreferrer"` on those links. Opened pages can access `window.opener` and potentially navigate the original tab to a phishing page (reverse tabnabbing).

Affected files: TargetBlank.user.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 TargetBlank.user.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/TargetBlank.user.js b/TargetBlank.user.js
index 7c0869d07..f92420b55 100644
--- a/TargetBlank.user.js
+++ b/TargetBlank.user.js
@@ -28,6 +28,8 @@
         Array.from(document.links).forEach(function (_this) { // 排除特殊链接
             if (_this.onclick || _this.href.slice(0,4) != 'http' || _this.getAttribute('href').slice(0,1) === '#') {
                 _this.target = '_self'
+            } else {
+                _this.rel = 'noopener noreferrer'
             }
         })
         document.querySelectorAll('form').forEach(function (_this) { // 排除 form 标签