window.opener unless link type noope
or noreferrer is specified. This is a potential security risk.
+
+Note that only older browsers, where target="_blank" does not imply rel="noopener",
+are affected by this vulnerability. Modern browsers implicitly add rel="noopener" to
+target="_blank" links.
+Refer to the browser compatibility section
+on the anchor element for details on which browsers implicitly add rel="noopener" to target="_blank" links.
+
+
diff --git a/javascript/ql/src/DOM/TargetBlank.ql b/javascript/ql/src/DOM/TargetBlank.ql
index fb63737f678..dc7f1d65e79 100644
--- a/javascript/ql/src/DOM/TargetBlank.ql
+++ b/javascript/ql/src/DOM/TargetBlank.ql
@@ -10,7 +10,7 @@
* security
* external/cwe/cwe-200
* external/cwe/cwe-1022
- * @precision very-high
+ * @precision low
*/
import javascript
diff --git a/javascript/ql/src/change-notes/2024-03-21-target-blank-precision.md b/javascript/ql/src/change-notes/2024-03-21-target-blank-precision.md
new file mode 100644
index 00000000000..89b0c0da191
--- /dev/null
+++ b/javascript/ql/src/change-notes/2024-03-21-target-blank-precision.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@precision` of the `js/unsafe-external-link` has been lowered to `low` to reflect that modern browsers do not provider the `opener` attribute and thus mitigate the potential security risk of having a link with `target="_blank"`.
\ No newline at end of file