CVE-2019-25155
Description
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOMPurify before 1.0.11 is vulnerable to reverse tabnabbing in a demo page due to missing noopener/noreferrer attributes.
Vulnerability
Overview DOMPurify versions prior to 1.0.11 contain a reverse tabnabbing vulnerability in the demo page demos/hooks-target-blank-demo.html. The page includes links with target="_blank" but lacks the rel="noopener noreferrer" attribute, allowing an opened page to access the original page's window.opener object and potentially redirect it to a malicious site [1][2].
Attack
Vector To exploit this, an attacker needs to host a malicious page that is linked from the demo page. When a user clicks the link, the malicious page opens in a new tab and can use window.opener.location to navigate the original page to a phishing or harmful website. No authentication is required, and the vulnerability is present only in the demo file, not in the core sanitization library [3].
Impact
Successful exploitation allows an attacker to perform reverse tabnabbing, tricking users into visiting malicious sites while they believe they are still on the legitimate DOMPurify demo. This can lead to phishing, malware distribution, or other social engineering attacks [1].
Mitigation
The vulnerability was fixed in version 1.0.11 by adding rel="noopener noreferrer" to the affected links [4]. Users should update to the latest version or avoid using the demo page in production environments.
- GitHub - cure53/DOMPurify: DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
- Fixed security issue in demo (Reverse Tabnabbing) by ArtemBernatskyy · Pull Request #337 · cure53/DOMPurify
- Comparing 1.0.10...1.0.11 · cure53/DOMPurify
- Merge pull request #337 from ArtemBernatskyy/patch-1 · cure53/DOMPurify@7601c33
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompurifynpm | < 1.0.11 | 1.0.11 |
Affected products
2- DOMPurify/DOMPurifydescription
Patches
17601c33a57e0Merge pull request #337 from ArtemBernatskyy/patch-1
1 file changed · +2 −0
demos/hooks-target-blank-demo.html+2 −0 modified@@ -32,6 +32,8 @@ // set all elements owning target to target=_blank if ('target' in node) { node.setAttribute('target','_blank'); + // prevent https://www.owasp.org/index.php/Reverse_Tabnabbing + node.setAttribute('rel', 'noopener noreferrer'); } // set non-HTML/MathML links to xlink:show=new if (!node.hasAttribute('target')
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8hgg-xxm5-3873ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-25155ghsaADVISORY
- github.com/cure53/DOMPurify/commit/7601c33a57e029cce51d910eda5179a3f1b51c83ghsaWEB
- github.com/cure53/DOMPurify/compare/1.0.10...1.0.11ghsaWEB
- github.com/cure53/DOMPurify/pull/337ghsaWEB
- github.com/cure53/DOMPurify/pull/337/filesmitre
News mentions
0No linked articles in our index yet.