target="_blank" Vulnerability Resulting in Critical Phishing Vector

**Description** I have a script running on my server which gives me full control over a visitor's window object. This allows me to replace the user's legitimate mapbox.com session with my own Mapbox phishing form (not live). As you can see from the proof-of-concept video below, this vulnerability works cross-origin. This is an extremely effective phishing vector and should be remediated ASAP. **Video PoC:** {F116642} **Reproduction Steps:** 1. Navigate to my map at https://www.mapbox.com/editor/?id=chasemiller5.19coghk8#data 2. Click on my website link in the description (http://chasemiller.me/hax/mapbox_test.html) 3. This should open the link and change the user's legitimate mapbox.com session to my malicious Mapbox login phishing page (not active) (behavior may vary slightly between browsers). **Mitigation:** This bug can be easily mitigated by using the 'noopener' link type. This sets the 'window.opener' property to 'null'