What is Tabnabbing and How Can You Safeguard Your Site Against It?

What is Tabnabbing and How Can You Safeguard Your Elementor Site Against It?

I recently came across the term “tabnabbing”.

In short, tabnabbing is a phishing attack that manipulates web pages. It can be harmful to both your website (and its reputation) and your visitors alike.

Naturally, I wanted to learn more about how we, as website owners, can help safeguard our visitors. So I did a little digging …

In this short article, I’ll be explaining what tabnabbing is in more detail, and what you can do to mitigate it.

What is Tabnabbing Anyway?

Tabnabbing is a phishing attack that may occur when a site visitor clicks on a link that opens in a new tab or window. This action allows hackers the opportunity to place a redirect to a duplicate site that is totally in their control.

What’s the Point of Tabnabbing?

The objective here is pretty simple. The criminal hacker will link visitors to a duplicate site in the hope of getting access to login details and other sensitive information.

The JavaScript in the new tab can do anything that normal JavaScript can. It can manipulate the page, alter data, send requests, read cookies for that site, etc. It can also obtain details of and perform changes to the parent window. For example, it can redirect the original page to a fake one (which looks legitimate) and asks the visitors for their credentials.

For obvious reasons, this can be very dangerous.

What Can You Do to Prevent Tabnabbing?

As site visitors, preventing tabnabbing is difficult since it rarely results from a victim clicking a link that seems suspicious. However, as a website creator, there are a few things you can look out for.


First and foremost, always make sure that your external links are pointing towards reputable sources. Second, links to external sites that open in a new tab should generally always have a rel="noopener" attribute. This makes the new tab’s opener not be set, and so, the JavaScript won’t have access to the tab that opened it.


Similarly, adding rel="noreferrer" to a link instructs the browser not to tell the new tab’s website server what page the visitor has come from, by omitting the referrer.

We’ve reached out to a number of affiliate platforms to confirm whether or not the rel="noreferrer" attribute would affect tracking. Here’s what we were told:

[Affiliate links with this attribute will be] impacted when using the pro add-on Direct Link Tracking since it relies on the referring URL to be supplied to credit the credit affiliate. Otherwise cookies should still be able to be added to the visitor’s browser, which is how the affiliate_id is tracked across the site and



This article was written by Gabriella Galea and originally published on WP Mayor.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

Your email address will not be published. Required fields are marked *

Show Your ❤️ Love! Like Us
Scroll to Top