From 54a1c252768998da916f4bdca97e114e2dec84f6 Mon Sep 17 00:00:00 2001
From: erik-krogh <erik-krogh@github.com>
Date: Thu, 21 Mar 2024 09:26:35 +0100
Subject: [PATCH] change the precision of the js/unsafe-external-link query to
 low

---
 javascript/ql/src/DOM/TargetBlank.qhelp                   | 8 ++++++++
 javascript/ql/src/DOM/TargetBlank.ql                      | 2 +-
 .../src/change-notes/2024-03-21-target-blank-precision.md | 4 ++++
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 javascript/ql/src/change-notes/2024-03-21-target-blank-precision.md

diff --git a/javascript/ql/src/DOM/TargetBlank.qhelp b/javascript/ql/src/DOM/TargetBlank.qhelp
index f0e7ca37500..e1b1fd8e7f2 100644
--- a/javascript/ql/src/DOM/TargetBlank.qhelp
+++ b/javascript/ql/src/DOM/TargetBlank.qhelp
@@ -9,6 +9,14 @@ of the origin page using <code>window.opener</code> unless link type <code>noope
 or <code>noreferrer</code> is specified. This is a potential security risk.
 </p>
 
+<p>
+Note that only older browsers, where <code>target="_blank"</code> does not imply <code>rel="noopener"</code>, 
+are affected by this vulnerability. Modern browsers implicitly add <code>rel="noopener"</code> to
+<code>target="_blank"</code> links.
+Refer to the <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#browser_compatibility">browser compatibility section 
+on the anchor element</a> for details on which browsers implicitly add <code>rel="noopener"</code> to <code>target="_blank"</code> links.
+</p>
+
 </overview>
 <recommendation>
 
diff --git a/javascript/ql/src/DOM/TargetBlank.ql b/javascript/ql/src/DOM/TargetBlank.ql
index fb63737f678..dc7f1d65e79 100644
--- a/javascript/ql/src/DOM/TargetBlank.ql
+++ b/javascript/ql/src/DOM/TargetBlank.ql
@@ -10,7 +10,7 @@
  *       security
  *       external/cwe/cwe-200
  *       external/cwe/cwe-1022
- * @precision very-high
+ * @precision low
  */
 
 import javascript
diff --git a/javascript/ql/src/change-notes/2024-03-21-target-blank-precision.md b/javascript/ql/src/change-notes/2024-03-21-target-blank-precision.md
new file mode 100644
index 00000000000..89b0c0da191
--- /dev/null
+++ b/javascript/ql/src/change-notes/2024-03-21-target-blank-precision.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@precision` of the `js/unsafe-external-link` has been lowered to `low` to reflect that modern browsers do not provider the `opener` attribute and thus mitigate the potential security risk of having a link with `target="_blank"`.
\ No newline at end of file