The HTTP referrer is a non-mandatory HTTP header field that indicates the URL of the webpage that is connected to the resource being requested. The address of the last web page from which a link to the presently requested page was followed is included in the Referer request header.
What makes this a vulnerability?
It enables the person in charge of a certain site to alter the user’s password (CSRF attack) because this person has access to the user’s reset password token.
For example, there is a website called www.mydomain.com that offers password reset services. User A uses that capability to reset the password. That request now includes the referrer header, which contains a link to another URL with the password reset token. That owner can now use that token to get access to the victim’s account.
To fix this, add rel=”noopener noreferrer” to external links in the footer to prevent third-party sites from displaying the referrer header.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.