When a user sends a message containing a URL, Darkwire transforms the URL into an HTML anchor tag with an href link to the URL in question using the Autolinker module.

This creates two important security vulnerabilities.

• Missing rel=noreferrer

When a user clicks on a link sent by another user in the same chat room, the request made by the browser to fetch the resource referenced by the URL will contain a Referrer header who's value will be the chatroom's full URL.

This creates an issue where any website administrator to which a Darkwire user browsed to can just look up the Darkwire chatroom URL in the Referrer header of his server logs.

• Missing rel=noopener

Since anchor tags create by Autolinker contain a target=_blank attribute, users clicking on this link will be vulnerable to tab-jacking attacks.

More details can be found in this blog post: https://mathiasbynens.github.io/rel-noopener/

Fixed in v1.5.8