GHSA-xcxh-6cv4-q8p8: HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit

August 12, 2025

When adding a “web link” to the HFS virtual filesystem, the frontend opens it with target="_blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab.

References

github.com/advisories/GHSA-xcxh-6cv4-q8p8
github.com/rejetto/hfs
github.com/rejetto/hfs/commit/6531bcd2ab285af88f91831e30d8a03f5b9fe20d
github.com/rejetto/hfs/security/advisories/GHSA-xcxh-6cv4-q8p8

Code Behaviors & Features

Detect and mitigate GHSA-xcxh-6cv4-q8p8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →