"underestimated vulnerability" that also has been fixed since 2021.

I remember reading about this back in ~2016 if not earlier. Was also featured on HN at least twice (via https://mathiasbynens.github.io/rel-noopener/ where I think I read about it first):

- https://news.ycombinator.com/item?id=11553740

- https://news.ycombinator.com/item?id=16226800

target="_blank" implies rel="noopener"

https://caniuse.com/mdn-html_elements_a_implicit_noopener

Interesting that some Chromium-based browsers such as Opera and Android don't have this, while Chrome does.

What was the point of giving the page access to the opener page?

I mean, this doesn’t happen with normal links where the target isn’t set, so there must have been some intention behind this.