Don’t Touch My Tabs!

Firefox is to further protect its consumers from phishing attacks with a new feature that will prevent reverse tabnabbing by default. 

The move by Mozilla is planned for both Beta and Nightly versions of Firefox.

Reverse tabnabbing is a twist on a classic phishing attack – a user clicks a link on a genuine web page, which then opens up a new tab, but when the user revisits their original tab, the web page they were looking at is no longer genuine.

An attacker could replace the web page with a phishing site, for example, and trick the victim into inputting their credentials.

This attack – also referred to as ‘tab hijacking’ – is currently mitigated via a Firefox extension called ‘Don’t Touch My Tabs!’, or by adding rel=noopener to any hyperlink.

“Prevent tabs opened by a hyperlink from hijacking the previous tab by adding the rel=noopener attribute to all hyperlinks (excluding same-domain hyperlinks),” reads the add-on’s description, released last year, which has just over 7,000 downloads at the time of writing.

A recent ecosystem-wide HTML specification adjustment has now driven Mozilla to work on a new feature that will mitigate this issue in Firefox by default.

Firefox is said to have enabled this feature by default in the Nightly browser version previously. A bug affected its functionality, however, and was disabled.

A spokesperson from Mozilla told The Daily Swig: “When testing the new feature in Firefox Nightly, we discovered that downloads opened in a new tab would leave a superfluous blank tab, while we’d rather like it to close automatically.

“We’re working on fixing this behavior and will ship the new functionality once we’re sure it’s working as intended.”

Mozilla confirmed that the feature was enabled in Firefox Nightly and can be enabled in Beta by switching dom.targetBlankNoOpener.enabled to true in about:config.

RELATED New Firefox rules block extensions with obfuscated code