Coinbase: window.opener is leaking to external domains upon redirect on Safari

ID H1:160498
Type hackerone
Reporter cablej
Modified 2016-08-22T19:56:32


Although Coinbase cleared window.opener on external redirects, it was not effective on WebKit-based browsers (Safari) since Safari's cross-origin security prevents the modification of window.opener of a child window if it lies on a different origin, yet still allows the child window to access window.opener.location.

The solution, proposed by the reporter, was to add rel="noreferrer noopener" to these external links.