🛡️ Sentinel: [MEDIUM] Fix reverse tabnabbing vulnerability in external links

[darksheer]

🚨 Severity: MEDIUM
💡 Vulnerability: Several external links using target="_blank" (or the invalid target="blank") were missing the rel="noopener noreferrer" attribute. This allows the newly opened tab to retain a reference to the original page's window.opener object, making the application vulnerable to reverse tabnabbing attacks, where a malicious external site can redirect the original page to a phishing site.
🎯 Impact: If a legitimate external link is compromised or redirected, the attacker could exploit the window.opener reference to navigate the user's original tab to a malicious site, potentially stealing credentials or sensitive information.
🔧 Fix: Added rel="noopener noreferrer" to all target="_blank" anchor tags across Vue components (NavigationFooter.vue, ContactUsView.vue, DesignPrinciplesView.vue, HomeView.vue, TechniqueView.vue). Also corrected invalid target="blank" attributes to target="_blank".
✅ Verification: Verified that external links in the UI now include the secure rel attribute and run the frontend build and lint processes successfully.

---

PR created automatically by Jules for task 14161173859279720080 started by @darksheer

Summary by CodeRabbit

Bug Fixes

• Improved external link handling across navigation, contact, design principles, and technique pages
• Standardized link attributes to ensure consistent behavior when opening external resources
• Corrected invalid link attribute values to comply with web standards

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request systematically updates external links across five Vue component files to improve security and correctness. All links that open in new tabs now include rel="noopener noreferrer" to prevent window.opener access, and incorrect target="blank" attributes are corrected to target="_blank".

Changes

External link security attributes

Layer / File(s)	Summary
Navigation and footer organization links src/components/NavigationFooter.vue	CTID and social media links (LinkedIn, YouTube, GitHub) are updated to include rel="noopener noreferrer" alongside target="_blank" for secure external navigation.
Contact Us page action links src/views/ContactUsView.vue	The "stay-informed" CTID button and GitHub issue submission link receive rel="noopener noreferrer" attributes with formatting adjustments.
Design Principles source citations src/views/DesignPrinciplesView.vue	Multiple source references (MITRE ATT&CK, FS-ISAC, NRF retail fraud taxonomy, Stripe FT3) are corrected to use target="_blank" and rel="noopener noreferrer".
Primary content view external links src/views/HomeView.vue, src/views/TechniqueView.vue	MITRE ATT&CK links are corrected from invalid target="blank" to target="_blank" and updated with security attributes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

A rabbit hops through the code with glee,
Securing links with rel (so safe they'll be!)
From footer to views, each anchor now shines,
noopener noreferrer guards all the lines ✨🔐
Safe travels await those who click through!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically identifies the main change: fixing a reverse tabnabbing vulnerability in external links by adding rel='noopener noreferrer' attributes across multiple Vue components.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@research/f3-snapshot-1835d4f/src/views/DesignPrinciplesView.vue`:
- Around line 28-29: The footnote anchor in the DesignPrinciplesView.vue
template renders <a href=""> which opens an empty new tab; either replace the
empty href with the real citation URL or remove the anchor and render the
citation as plain text. Locate the paragraph that contains the <sup><a
...>1</a></sup> markup and update the <a> element to use the correct external
URL (including target and rel attributes) or remove the <a> entirely and leave
the "1" in plain text to avoid a broken link.

In `@research/f3-snapshot-1835d4f/src/views/TechniqueView.vue`:
- Around line 23-24: The ATT&CK shortcut anchor in TechniqueView.vue currently
uses just “&” as visible text, so update the anchor rendered when
technique.isAttack to include an aria-label (e.g. "Open the corresponding MITRE
ATT&CK page in a new tab") so screen readers get a meaningful name; locate the
<a> that calls getAttackURL() and add aria-label="Open the corresponding MITRE
ATT&CK page in a new tab" (or bind a localized string) while keeping
target="_blank" and rel="noopener noreferrer".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c8dfa80b-a146-4c64-a923-a01f429e2e45

📥 Commits

Reviewing files that changed from the base of the PR and between 65e835b and e7d11be.

📒 Files selected for processing (5)

• research/f3-snapshot-1835d4f/src/components/NavigationFooter.vue
• research/f3-snapshot-1835d4f/src/views/ContactUsView.vue
• research/f3-snapshot-1835d4f/src/views/DesignPrinciplesView.vue
• research/f3-snapshot-1835d4f/src/views/HomeView.vue
• research/f3-snapshot-1835d4f/src/views/TechniqueView.vue

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Replace the empty footnote destination.

Line 28 still renders footnote 1 with href="", so this now opens a useless new tab instead of the cited source. Please either point it at the real reference URL or render plain text until that citation exists.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@research/f3-snapshot-1835d4f/src/views/DesignPrinciplesView.vue` around lines
28 - 29, The footnote anchor in the DesignPrinciplesView.vue template renders <a
href=""> which opens an empty new tab; either replace the empty href with the
real citation URL or remove the anchor and render the citation as plain text.
Locate the paragraph that contains the <sup><a ...>1</a></sup> markup and update
the <a> element to use the correct external URL (including target and rel
attributes) or remove the <a> entirely and leave the "1" in plain text to avoid
a broken link.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add an accessible label to the ATT&CK shortcut link.

The link’s visible text is only &, so assistive tech gets an unhelpful name here. Adding an aria-label like “Open the corresponding MITRE ATT&CK page in a new tab” would make the control understandable.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@research/f3-snapshot-1835d4f/src/views/TechniqueView.vue` around lines 23 -
24, The ATT&CK shortcut anchor in TechniqueView.vue currently uses just “&” as
visible text, so update the anchor rendered when technique.isAttack to include
an aria-label (e.g. "Open the corresponding MITRE ATT&CK page in a new tab") so
screen readers get a meaningful name; locate the <a> that calls getAttackURL()
and add aria-label="Open the corresponding MITRE ATT&CK page in a new tab" (or
bind a localized string) while keeping target="_blank" and rel="noopener
noreferrer".