As of WordPress 4.7.4, when you create a link in a post that opens in a new tab (target="_blank"), the WordPress visual editor will automatically modify the link to include the following attributes:
This new feature is to avoid a potentially serious vulnerability on these kind of links.
You have a link on "Page A" to "Page B". Let's say that link has a target="_blank" tag, which means that "Page B" will open in a new tab or a new window of your browser. Now, here comes the issue.
For some reason, when the above scenario happens, "Page B" can for a moment control "Page A" with a simple Javascript code. An attacker could use this to download something to your device, intercept private data being sent, change cookies that are dropped, or take your reader to any page they wanted. So, it's serious.
To avoid this behavior you can use the following attribute:
noopener
“Instructs the browser to open the link without granting the new browsing context access to the document that opened it — by not setting the Window.opener property on the opened window (it returns null).”
However, not all browsers support the previous tag, so to be sure you've closed the vulnerability you also need to use the following attribute on your links:
noreferrer
“Prevents the browser, when navigating to another page, to send this page address, or any other value, as referrer via the Referer: HTTP header.”
And that's why WordPress has automated adding the code on all links with target="_blank". It fixes a security issue with no actions needed by you.
Unfortunately the fix will also affect referrer tracking and some affiliate links. This means some users would like to disable the new default functionality altogether.
Lost referrer tracking should only be an issue if you have a non-secure http connection in the mix. The "noopener noreferrer" tag should not impact https transfers (i.e from your https site to another https site).
There are a few things you can do to disable the noopener noreferrer issues:
Whichever course of action you want to take, please contact us on support@performancefoundry.com and we'll take care of it for you.