CVE-2020-36624: 
Ruby vulnerability analysis and mitigation

A vulnerability was found in ahorner text-helpers up to version 1.0.x, identified as CVE-2020-36624. The vulnerability affects the file lib/text_helpers/translation.rb and involves the manipulation of the argument link, which leads to use of web link to untrusted target with window.opener access. This remote vulnerability was discovered in December 2022 and has been rated as critical (NVD).

The vulnerability is classified as CWE-1022 (Use of Web Link to Untrusted Target with window.opener Access). It has received a CVSS v3.1 base score of 6.1 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) from NVD, while VulDB rates it at 6.3 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L). The vulnerability specifically relates to how external links are handled without proper protection against reverse tabnabbing attacks (GitHub PR).

The vulnerability could allow attackers to conduct reverse tabnabbing attacks when users click on external links. This could potentially lead to phishing attacks where the original page is replaced with a malicious one, taking advantage of the window.opener access (OWASP).

The vulnerability has been fixed in version 1.1.0 of the text-helpers library. The patch (184b60ded0e43c985788582aca2d1e746f9405a3) adds the rel="noopener" attribute to external links to prevent reverse tabnabbing attacks. Users are recommended to upgrade to version 1.1.0 or later to address this security issue (GitHub Release).