The simplest solution is to avoid using target=... in HTML, and always set target=”_self” when calling JavaScript window.open()... especially for links to user-generated content and external domains. If you decide to use HTML target=, also use rel="noopener noreferrer". The "noopener" tells the web browser to not allow the JavaScript to gain control over the referring window (so window.opener won’t give access to it). The "noreferrer" prevents passing on the referrer information to the new tab/window
The simplest solution is to avoid using target=... in HTML, and always set target=”_self” when calling JavaScript window.open()... especially for links to user-generated content and external domains. If you decide to use HTML target=, also use rel="noopener noreferrer". The "noopener" tells the web browser to not allow the JavaScript to gain control over the referring window (so window.opener won’t give access to it). The "noreferrer" prevents passing on the referrer information to the new tab/window