Merge pull request #16002 from erik-krogh/tarBlank

JS: change the precision of the `js/unsafe-external-link` query to `low`

Author: erik-krogh

javascript/ql/src/DOM/TargetBlank.qhelp

@@ -9,6 +9,14 @@ of the origin page using <code>window.opener</code> unless link type <code>noope
 or <code>noreferrer</code> is specified. This is a potential security risk.
 </p>
 
+<p>
+Note that only older browsers, where <code>target="_blank"</code> does not imply <code>rel="noopener"</code>, 
+are affected by this vulnerability. Modern browsers implicitly add <code>rel="noopener"</code> to
+<code>target="_blank"</code> links.
+Refer to the <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#browser_compatibility">browser compatibility section 
+on the anchor element</a> for details on which browsers implicitly add <code>rel="noopener"</code> to <code>target="_blank"</code> links.
+</p>
+
 </overview>
 <recommendation>
 

javascript/ql/src/DOM/TargetBlank.ql

@@ -10,7 +10,7 @@
  *       security
  *       external/cwe/cwe-200
  *       external/cwe/cwe-1022
- * @precision very-high
+ * @precision low
  */
 
 import javascript

javascript/ql/src/change-notes/2024-03-21-target-blank-precision.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@precision` of the `js/unsafe-external-link` has been reduced to `low` to reflect the fact that modern browsers do not expose the opening window for such links. This mitigates the potential security risk of having a link with `target="_blank"`.