The window.opener can be used to “hack” the contents of the parent tab. That’s bad news if the original tab contains sensitive information or forms that could be used to input sensitive information. You can see an excellent demonstration of this process on the “about rel=noopener” site.
A simple application of this hack would be to embed a link in a WordPress page that opens a new page in a new tab. Code in the new page could then be used to change the contents of the original tab to a fake login page, which would then transmit the user’s login details to the malicious third-party. If the parent and child tabs contain pages on different domains, there are greater restrictions on the window.opener object, but the child tab is able to redirect the parent tab to a different page. It’s easy to imagine a situation in which an attacker spams malicious links that redirect the parent tab to a phishing site.
As you can see, the window.opener object presents a security risk without adding much that’s useful for the vast majority of WordPress sites. The rel=”noopener” attribute tells web browsers to disable the window.opener object. Without access to that object, there’s no way a child tab can influence its parent.
Does rel-noopener Hurt SEO?
The short answer is no. The rel=”noopener” attribute has nothing to do with search engine optimization. Search engine crawlers ignore it, and it doesn’t impact the pages they crawl or how they rank and index pages.
Although rel=”noopener” removes the security risk, WordPress hosting clients should think twice before forcing pages to open in new tabs or windows. If users want to open tabs in new windows, their browsers make it easy to do so. Forcing pages to open in new tabs is an unnecessary imposition on the expected user experience of the web.