Don't open user-supplied links with target="_blank"
window.opener, if the target is on the same domain.
Even if the target site is on another domain, it still has some access and can for example manipulate
window.location to perform a phishing attack.
You may use a
rel="noopener" attribute to avoid this in modern browsers, except IE or Edge.