The HTML spec was changed to prevent window.opener from accessing the parent page. This is implemented by all browsers except IE11.
This will give the target site full access to your Javascript environment through window.opener, if the target is on the same domain.
Even if the target site is on another domain, it still has some access and can for example manipulate window.location to perform a phishing attack.
You may use a rel="noopener" attribute to avoid this in modern browsers, except IE or Edge.
Posted by Henning Koch to makandra dev (2016-03-15 12:28)