target="_blank" Vulnerability Resulting in Critical Phishing Vector

On September 1st, 2016, @n0rb3r7 reported a vulnerability in the [Mapbox Classic editor](https://www.mapbox.com/editor/) related to a known `window.opener.location.href` issue with user generated content and cross origin navigation when `target="_blank"` (see [HTML bug report](https://www.w3.org/Bugs/Public/show_bug.cgi?id=28821)). This was addressed via the creation of the `noopener` link attribute (see [whatwg PR](https://github.com/whatwg/html/pull/290)) and browser compatibility efforts are ongoing. As of now it is has [limited support](https://html.spec.whatwg.org/#link-type-noopener), though there are open tickets for adding it to the majority of remaining browsers. After an internal review of the issue- taking into consideration previous reports similar in nature, browser compatibility progress towards making `noopener` the default, the level of effort necessary to attempt this exploit, the bandwith required for patching it, as well as the fact that Mapbox Classic editor is a legacy product- we decided that we would not move forward with an immediate fix at this time. This report was well put together and looking into it helped us further our research on this vulnerability type, thank you again @n0rb3r7!