From b4b9d303dee030e862a9fb0364ba9b854e396f23 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Sun, 12 Apr 2026 06:45:04 +0700
Subject: [PATCH] fix(security): potential reverse tabnabbing via `window.open`
 wit

External links are opened with `window.open(url, "_blank")` without `noopener`/`noreferrer`. A newly opened page can potentially access `window.opener` and navigate the original inspector window, enabling phishing-style attacks.

Affected files: AppRenderer.tsx

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 client/src/components/AppRenderer.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/client/src/components/AppRenderer.tsx b/client/src/components/AppRenderer.tsx
index e25f35c91..dbc39b4c0 100644
--- a/client/src/components/AppRenderer.tsx
+++ b/client/src/components/AppRenderer.tsx
@@ -74,7 +74,7 @@ const AppRenderer = ({
   const handleOpenLink = async ({ url }: { url: string }) => {
     let isError = true;
     if (url.startsWith("https://") || url.startsWith("http://")) {
-      window.open(url, "_blank");
+      window.open(url, "_blank", "noopener,noreferrer");
       isError = false;
     }
     return { isError };