Summary
window.open(data.pr_url, '_blank') is called without noopener,noreferrer. The opened page can access window.opener and redirect the parent origin.
Location
ui/app.js — executePR(), line ~1829
Risk
Reverse tabnapping. Server-controlled URL with no origin restriction on the opener reference.
Proposed Fix
window.open(data.pr_url, '_blank', 'noopener,noreferrer');
Summary
window.open(data.pr_url, '_blank') is called without noopener,noreferrer. The opened page can access window.opener and redirect the parent origin.
Location
ui/app.js — executePR(), line ~1829
Risk
Reverse tabnapping. Server-controlled URL with no origin restriction on the opener reference.
Proposed Fix
window.open(data.pr_url, '_blank', 'noopener,noreferrer');