Insecure Links Opening in New Tab
A target="_blank" link without rel="noopener" exposes window.opener to the destination page — a security vulnerability called "tabnabbing".
Why it matters
A target="_blank" link without rel="noopener" exposes window.opener to the destination page — a security vulnerability called "tabnabbing". It can also hurt performance because the new tab runs in the same process.
Address when convenient — notices usually mark a polish opportunity rather than a defect. Estimated SEO impact: medium — measurable effect on click-through or relevance.
How to fix
- Add
rel="noopener noreferrer"to everytarget="_blank"link - Use a linter or template helper to enforce this site-wide
Common causes
If the rule is firing across many pages, the root cause is almost always one of these:
target="_blank"applied broadly without the matchingrel="noopener".- Affiliate or partner snippets pasted in raw without sanitisation.
- Old "open in new tab" UX pattern from before tabnabbing was a known threat.
Anti-patterns to avoid
Even with the best intentions, these "fixes" make the issue worse — recognise them so you don't ship them:
- Bare
target="_blank"withoutrel="noopener". - Linking to known low-trust or spammy sites for SEO juice trades.
- Sending users off-site mid-conversion without warning.
Example
Here's a typical instance — the problematic line is highlighted in red:
<a href="/img/example.jpg" target="_blank">Read more</a>
And the fix — the corrected line, highlighted in green:
<a href="/img/example.jpg" target="_blank" rel="noopener noreferrer">Read more</a>
How atlookup detects this
Our crawler renders each page with a real headless browser, then checks the safety attributes (target, rel) and trust signals on every outbound link. Pages where the rule fires for insecure links opening in new tab are flagged on the report.
If you'd like to see this rule fire on your own site, run a free 60-second audit — every page is reported with the exact lines that triggered it.
Tools to verify the fix
Once you've applied the fix, double-check with these external validators:
- Lighthouse — Best-Practices audit catches unsafe target=_blank.
- axe DevTools — Reviews link semantics and accessibility.
Frequently asked questions
Why does Insecure Links Opening in New Tab matter for SEO?
A target="_blank" link without rel="noopener" exposes window.opener to the destination page — a security vulnerability called "tabnabbing". It can also hurt performance because the new tab runs in the same process.
How do I fix insecure links opening in new tab?
Add rel="noopener noreferrer" to every target="_blank" link Use a linter or template helper to enforce this site-wide
Is this a critical SEO issue?
Address when convenient — notices usually mark a polish opportunity rather than a defect. Estimated SEO impact: medium — measurable effect on click-through or relevance.
How does atlookup detect insecure links opening in new tab?
Our crawler renders each page with a real headless browser, then checks the safety attributes (target, rel) and trust signals on every outbound link. Pages where the rule fires for insecure links opening in new tab are flagged on the report.
How long does it take to fix?
5–15 minutes per page. Most teams batch similar issues across templates so the per-page time goes down at scale.
Related issues
EXTERNAL_LINK_BROKEN
Broken External Link
Links pointing to dead pages (4xx/5xx) send visitors to errors and signal a poorly maintained site to search engines.
EXTERNAL_LINK_SSL_ERROR
External Link Has HTTPS Certificate Problem
A link to an HTTPS URL with an expired, self-signed, or untrusted certificate will throw a security warning in users' browsers, hurting trust and click-through.
EXTERNAL_LINK_REDIRECT_LOOP
External Link Redirects in a Loop
A circular redirect chain means the destination page is unreachable — browsers will eventually stop and show an error.
EXTERNAL_LINK_TIMEOUT
External Link Times Out
A link that consistently times out is effectively broken for users.