HackerOne reported issue: Links in Environments tab vulnerable to tabnabbing (target=_blank without noopener, noreferrer)
A user reported via HackerOne that GitLab project environments tabs can contain external links opened with target=_blank
yet they do not include the standard noopener noreferrer
to prevent tabnabbing.
https://www.jitbit.com/alexblog/256-targetblank---the-most-underestimated-vulnerability-ever/
We need to add these options to all external links opened with target=_blank
.
The attack surface is very low here as environments can only be viewed by members of a project that have developer or greater access and environments can only be created by members of that same project who also have developer or greater access.