In a situation where an **attacker** can **control** the **`href`** argument of an **`<a`** tag with the attribute **`target="_blank" rel="opener"`** that is going to be clicked by a victim, the **attacker****point** this **link** to a web under his control (a **malicious****website**). Then, once the **victim clicks** the link and access the attackers website, this **malicious****website** will be able to **control** the **original****page** via the javascript object **`window.opener`**.\
A regular way to abuse this behaviour would be to **change the location of the original web** via `window.opener.location = https://attacker.com/victim.html` to a web controlled by the attacker that **looks like the original one**, so it can **imitate** the **login****form** of the original website and ask for credentials to the user.
However, note that as the **attacker now can control the window object of the original website** he can abuse it in other ways to perform **stealthier attacks** (maybe modifying javascript events to ex-filtrate info to a server controlled by him?)
The malicious site can only access to the following properties from the **opener** javascript object reference (that is in fact a reference to a **window** javascript class instance) in case of **cross origin** (cross domains) access:
*`opener.closed`: Returns a boolean value indicating whether a window has been closed or not.
*`opener.frames`: Returns all iframe elements in the current window.
*`opener.length`: Returns the number of iframe elements in the current window.
*`opener.opener`: Returns a reference to the window that created the window.
*`opener.parent`: Returns the parent window of the current window.
*`opener.self`: Returns the current window.
*`opener.top`: Returns the topmost browser window.
If the domains are the same then the malicious site can access all the properties exposed by the [**window**](https://developer.mozilla.org/en-US/docs/Web/API/Window) javascript object reference.
Prevention information are documented into the [HTML5 Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/HTML5\_Security\_Cheat\_Sheet.html#tabnabbing).