VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 22, 2022· Updated Aug 4, 2024

ahorner text-helpers translation.rb reverse tabnabbing

CVE-2020-36624

Description

A vulnerability was found in ahorner text-helpers up to 1.0.x. It has been declared as critical. This vulnerability affects unknown code of the file lib/text_helpers/translation.rb. The manipulation of the argument link leads to use of web link to untrusted target with window.opener access. The attack can be initiated remotely. Upgrading to version 1.1.0 is able to address this issue. The name of the patch is 184b60ded0e43c985788582aca2d1e746f9405a3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216520.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A critical reverse tabnabbing vulnerability in text-helpers <=1.0.x lets attackers hijack window.opener via crafted links.

Overview

A critical vulnerability was discovered in the ahorner text-helpers library up to version 1.0.x. The bug resides in the file lib/text_helpers/translation.rb and involves the manipulation of the link argument, leading to a reverse tabnabbing attack. This class of vulnerability occurs when a page opens a link to an untrusted target using target="_blank" without setting rel="noopener noreferrer", allowing the opened page to control the window.opener object of the originating page [1][2].

Exploitation

The attack can be initiated remotely and does not require authentication, as the vulnerable code is exposed through normal usage of the helper that renders links. An attacker who can control the link parameter passed to the translation helper can craft a malicious URL that, when clicked by a victim, opens a new tab. The new tab then has access to the window.opener of the original application page, enabling it to redirect the parent window to a phishing or malware-hosting site [2][3].

Impact

If successfully exploited, an attacker can perform a phishing attack by replacing the trusted application page with a malicious clone, potentially stealing credentials or other sensitive information from the victim. The CVSS 4.0 score for this vulnerability is high, and NVD assessments note the critical severity [1].

Mitigation

The issue was patched in version 1.1.0 (commit 184b60d) and is fully resolved in the later v1.2.0 release [1][4]. Users of the text-helpers library should upgrade to at least version 1.1.0 immediately. No workarounds other than updating the affected component are recommended [1].

References
  1. NVD - CVE-2020-36624
  2. Protect against reverse tabnabbing by n00dle · Pull Request #19 · ahorner/text-helpers
  3. GitHub - ahorner/text-helpers: Easily fetch text and static content from your locales
  4. Release v1.2.0 · ahorner/text-helpers

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
text_helpersRubyGems
>= 1.1.0, < 1.2.01.2.0

Affected products

3

Patches

2
1c3873a538de

Bump version to 1.1.0

https://github.com/ahorner/text-helpersAndrew HornerDec 9, 2020via osv
commit
2 files changed · +9 2
  • CHANGELOG.md+8 1 modified
    @@ -1,5 +1,11 @@
 # Change Log
 
+## [1.1.0] - 2020-12-02
+
+### New Features 
+
+- Add `rel=noopener` to external links (thanks to @n00dle)
+
 ## [1.0.1] - 2020-12-02
 
 ### Changes 
@@ -14,7 +20,7 @@
 
 ### Bug Fixes
 
-- Properly support translations using I18n::Pluralization backend (Thanks to @jhanggi)
+- Properly support translations using I18n::Pluralization backend (thanks to @jhanggi)
 
 ## [0.7.2] - 2019-07-06
 
@@ -69,6 +75,7 @@
 
 - Add RSpec helpers (thanks to @gabrielg)
 
+[1.1.0]: https://github.com/ahorner/text-helpers/compare/v1.0.1...v1.1.0
 [1.0.1]: https://github.com/ahorner/text-helpers/compare/v1.0.0...v1.0.1
 [1.0.0]: https://github.com/ahorner/text-helpers/compare/v0.7.2...v1.0.0
 [0.7.2]: https://github.com/ahorner/text-helpers/compare/v0.7.1...v0.7.2
  • lib/text_helpers/version.rb+1 1 modified
    @@ -1,3 +1,3 @@
 module TextHelpers
-  VERSION = "1.0.1"
+  VERSION = "1.1.0"
 end
184b60ded0e4

Protect against reverse tabnabbing (#19)

https://github.com/ahorner/text-helpersn00dleDec 9, 2020via ghsa
commitPR #19
2 files changed · +5 5
  • lib/text_helpers/translation.rb+2 2 modified
    @@ -12,7 +12,7 @@ def link(link, title, content)
       attributes = [
         ("href=\"#{link}\"" if link),
         ("title=\"#{title}\"" if title),
-        ("target=\"_blank\"" if link =~ PROTOCOL_MATCHER),
+        ("target=\"_blank\" rel=\"noopener\"" if link.match?(PROTOCOL_MATCHER)),
       ]
 
       "<a #{attributes.compact.join(" ")}>#{content}</a>"
@@ -44,7 +44,7 @@ def text(key, options = {})
       interpolation_options = { cascade: true }.merge(options)
 
       # Interpolate any keypaths (e.g., `!some.lookup.path/key!`) found in the text.
-      while text =~ KEYPATH_MATCHER do
+      while text.match?(KEYPATH_MATCHER) do
         text = text.gsub(KEYPATH_MATCHER) { |match| I18n.t($1, **interpolation_options) }
       end
  • test/lib/text_helpers/translation_test.rb+3 3 modified
    @@ -119,12 +119,12 @@
         assert_equal "<em>#{@scoped_text}</em>\n", @helper.html(:test_key, inline: true, orphans: true)
       end
 
-      it "renders internal links without a target" do
+      it "renders internal links without a target or rel" do
         assert_equal "<a href=\"/internal/path\">Internal&nbsp;link</a>\n", @helper.html(:internal_link, inline: true)
       end
 
-      it "renders external links with target='_blank'" do
-        assert_equal "<a href=\"http://external.com\" target=\"_blank\">External&nbsp;link</a>\n", @helper.html(:external_link, inline: true)
+      it "renders external links with target='_blank' and rel='noopener'" do
+        assert_equal "<a href=\"http://external.com\" target=\"_blank\" rel=\"noopener\">External&nbsp;link</a>\n", @helper.html(:external_link, inline: true)
       end
 
       it "interpolates values wrapped in !!" do

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.