Tabnabbing on spec-disrespecting browsers in plankanban/planka

Valid

Reported on

Aug 28th 2022


Some browsers do not comply with the 2021 HTML specification, meaning that an attacker can redirect the parent window. This applies to links in descriptions

// Create a new card
// Add https://someevilsite.com to card
// Now the site can do the following:
window.opener.location.href="https://redirect-to-evil-site.com"

Impact

This can lead to phishing attacks (for example, redirect the site to a fake login page). This can also lose data because Planka allows redirects without requesting that the user confirm leaving the page.

We are processing your report and will contact the plankanban/planka team within 24 hours. a month ago
ndren
a month ago

Researcher


The easiest way to resolve this would be to use rel="noreferrer", which implies noopener in the old specification as well. Another thing to consider would be to change window.unload from null to a function so that data is less likely to be lost.

We have contacted a member of the plankanban/planka team and are waiting to hear back 25 days ago
Maksim Eltyshev validated this vulnerability 25 days ago
ndren has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Maksim Eltyshev
25 days ago

Maintainer


Thank you for reporting this!

Maksim Eltyshev confirmed that a fix has been merged on 3379c6 24 days ago
The fix bounty has been dropped
to join this conversation