HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
- Severity:
- Low
Description
When adding a “web link” to the HFS virtual filesystem, the frontend opens it with target="_blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab.
Recommendation
Update the hfs package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.57.9
- Patched version(s): 0.57.10
References
Related Issues
- Twitter-Post-Fetcher vulnerable to Use of Web Link to Untrusted Target with window.opener Access - CVE-2018-25058
- Nuxt OG Image vulnerable to Server-Side Request Forgery via user-controlled parameters - Vulnerability
- DOMPurify is vulnerable to mutation-XSS via Re-Contextualization - Vulnerability
- fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing - Vulnerability
You might also like:
- Tags:
- npm
- hfs
Anything's wrong? Let us know
Last updated on August 12, 2025