Yandex does not consider Tabnabbing a vulnerability

What is Tabnabbing?

Many articles have already been written about this, for example, this one and on OWASP .

In short, the browser tab control through a child tab opened with target = "_ blank". By setting a link to an external site with target = "_ blank", the site will have access to window.opener , through which you can change the location of the tab from which the link leads. All large services that allow insertion of links protect the user from such behavior by adding rel = "noopener" or a proxy page.

Yes, even when it was in Yandex. Mail - it was recognized and closed.
')

But not in the Turbo pages.

I sent a report that all links inserted into the turbo page are vulnerable to tabnabbing - in the content and in the menu. The site owner can insert any links there. And most importantly, the turbo pages are shown mostly to mobile customers, who are more likely to be deceived through this vulnerability, since often do not see the URL of the page due to the minimalist interface.

An example of a vulnerable link in the menu:



To which I received such an answer (two months later and requests to reply on Twitter):

And why is it bad?

Although this behavior is described in the specification, it is not very obvious to the user. The user does not expect that the tab with which he switched can change.

At best, the turbo page will be replaced with a huge porn banner, and at worst, with a copy of the turbo page with a login-password form, for example. Huge scope for phishing!

As with the rest of the world, I believe this is a vulnerability.

What do you think?