Browsers permit related tabs to navigate to each other, enabling phishing attacks such as tabnabbing. One example of a tabnabbing attack works as follows:

1. A foreground tab is opened from a trusted application.
2. This tab displays an attacker-controlled website, and uses window.opener.location.assign() to replace the background tab with a malicious document.
3. Of course, this action also changes the address bar of the background tab – but the attacker hopes that the victim will be less attentive and will blindly enter their password or other sensitive information when returning to the background task.

Conclusion

If you report a tabnabbing attack, we won't file a bug based on your report, unless you can convince us with a strong attack scenario and demonstrate a significant impact.

Why? We believe that tabnabbing attacks are inherent to the current design of web browsers and can't be meaningfully mitigated by any single website. For instance, regarding the example described above: even if we prevent the page on the new tab from redirecting the page on the old tab, the new tab can still open additional tabs quite easily, in order to spoof the UI of the page that the user originally came from. The URL bar – unfortunately – remains one of the few security indicators users need to pay attention to, regardless of whether the issue described on this page is fixed or not.