HTML links that open in a new tab or window allow the target page to access the DOM of the origin page using window.opener unless link type noopener or noreferrer is specified. This is a potential security risk.

Note that only older browsers, where target="_blank" does not imply rel="noopener", are affected by this vulnerability. Modern browsers implicitly add rel="noopener" to target="_blank" links. Refer to the browser compatibility section on the anchor element for details on which browsers implicitly add rel="noopener" to target="_blank" links.

Specify the link type by adding an attribute rel="noopener noreferrer".

In the following example, a JSX element is created that corresponds to an HTML link opening the URL http://example.com in a new tab. Since it does not specify a link type, that page will be able to access the DOM of the origin page.

To fix this vulnerability, add a rel attribute:

Mathias Bynens: About rel=noopener.

Mozilla Developer Network: HTML Anchor Element.