Tabnabbing on spec-disrespecting browsers in plankanban/planka
Aug 28th 2022
Some browsers do not comply with the 2021 HTML specification, meaning that an attacker can redirect the parent window. This applies to links in descriptions
// Create a new card // Add https://someevilsite.com to card // Now the site can do the following: window.opener.location.href="https://redirect-to-evil-site.com"
This can lead to phishing attacks (for example, redirect the site to a fake login page). This can also lose data because Planka allows redirects without requesting that the user confirm leaving the page.