Page 1 of 1
Oxygen WebHelp support for mitigating tabnabbing security threat
Posted: Wed Apr 03, 2024 1:39 pm
by ann.jensen
Hi,
Will Oxygen WebHelp be updated or has it been updated to mitigate against the security threat described in
https://cheatsheetseries.owasp.org/chea ... tabnabbing?
Thanks in advance,
Ann
Re: Oxygen WebHelp support for mitigating tabnabbing security threat
Posted: Thu Apr 04, 2024 1:36 pm
by beniamin_savu
Hi,
Oxygen WebHelp does have support for mitigating tabnabbing. Firstly we do no use
window.open in our JavaScript code to open pages in a new tab. Further, for external links, we try to include the "noopener" value in the @rel attribute, provided you are using an
<xref> or
<topicref> element with the @scope attribute set to "external". For example:
Code: Select all
<xref href="https://google.com" format="html" scope="external">Content</xref>
We recognize the importance of security in today's digital environment, so please do notify us immediately if you encounter any security issues within the WebHelp Responsive output. Your feedback is invaluable as we continue to enhance our software's security features.
Also, it is worth noting, as per the Open Web Application Security Project (OWASP), most modern browsers are expected to have built-in support for adding @rel="noopener" on links directed to open in a new tab (@target="_blank"). More details can be found here:
https://owasp.org/www-community/attacks ... Tabnabbing
Best regards,
Beniamin Savu
Oxygen WebHelp Team
http://www.oxygenxml.com
Re: Oxygen WebHelp support for mitigating tabnabbing security threat
Posted: Tue Apr 09, 2024 12:45 pm
by ann.jensen
That's very informative, thank you Beniamin
Regards,
Ann