Window.opener bug at www.coinbase.com

**Window.Opener Bug** **Description:** When you open a link in a new tab ( target="_blank" ), the page that opens in a new tab can access the initial tab and change it's location using the window.opener property. **Browsers Verified In:** * Mozilla Firefox **Steps To Reproduce:** 1. Visit https://www.coinbase.com/ 2. In Image F133659, If you notice the links go through `https://www.coinbase.com/external_redirect` except "Bloomberg" 3. Since Bloomberg works on `http`, If you're in the same network you can manipulate the bloomberg page and inject a script which manipulates `window.opener` `window.opener.location.replace("https://www.notcoinbase.com");` I understand this is very trivial to exploit and does not have very big impact