Coinbase: window.opener is leaking to external domains upon redirect on Safari

2016-08-18T18:38:55
ID H1:160498
Type hackerone
Reporter cablej
Modified 2016-08-22T19:56:32

Description

Although Coinbase cleared window.opener on external redirects, it was not effective on WebKit-based browsers (Safari) since Safari's cross-origin security prevents the modification of window.opener of a child window if it lies on a different origin, yet still allows the child window to access window.opener.location.

The solution, proposed by the reporter, was to add rel="noreferrer noopener" to these external links.