From 1a4eb7d2e8f078dbc5fcb9854644a3d18f99bc2e Mon Sep 17 00:00:00 2001
From: Awais Jibran <awaisdar001@gmail.com>
Date: Thu, 22 Aug 2019 16:37:44 +0500
Subject: [PATCH] Pervent reverse tabnabbing in edx platform

---
 cms/static/js/base.js                            |  5 ++++-
 cms/templates/container.html                     |  2 +-
 cms/templates/course-create-rerun.html           |  2 +-
 cms/templates/course_outline.html                | 10 +++++-----
 cms/templates/export.html                        |  4 ++--
 cms/templates/group_configurations.html          |  6 +++---
 cms/templates/import.html                        |  4 ++--
 cms/templates/index.html                         |  2 +-
 ...dd-xblock-component-support-legend.underscore |  2 +-
 .../js/course-highlights-enable.underscore       |  2 +-
 .../js/highlights-enable-editor.underscore       |  2 +-
 cms/templates/js/license-selector.underscore     |  2 +-
 cms/templates/library.html                       |  2 +-
 cms/templates/textbooks.html                     |  2 +-
 .../ux/reference/fragments/course-settings.html  |  6 +++---
 cms/templates/widgets/header.html                |  4 ++--
 common/lib/xmodule/xmodule/lti_module.py         |  2 +-
 .../tests/views/test_instructor_dashboard.py     |  4 ++--
 .../instructor/views/instructor_dashboard.py     |  4 ++--
 lms/static/js/instructor_dashboard/util.js       |  2 +-
 .../components/StudentAccountDeletion.jsx        |  8 ++++----
 .../components/StudentAccountDeletionModal.jsx   |  2 +-
 .../js/student_account/views/RegisterView.js     |  2 +-
 lms/templates/api_admin/catalogs/edit.html       |  2 +-
 lms/templates/api_admin/catalogs/list.html       |  2 +-
 .../certificates/_accomplishment-banner.html     |  6 ++++--
 lms/templates/certificates/_badges-modal.html    |  4 ++--
 lms/templates/courseware/progress.html           |  4 ++--
 .../credit_eligibility_email.html                |  2 +-
 lms/templates/dashboard.html                     |  2 +-
 .../_dashboard_certificate_information.html      |  4 ++--
 .../dashboard/_dashboard_course_listing.html     |  6 ++++--
 .../dashboard/_dashboard_credit_info.html        |  4 ++--
 .../fields/field_order_history.underscore        |  2 +-
 lms/templates/header/header.html                 |  4 ++--
 lms/templates/header/navbar-authenticated.html   |  2 +-
 .../cohort-group-header.underscore               |  4 ++--
 .../instructor_analytics.html                    |  2 +-
 lms/templates/login.html                         |  2 +-
 lms/templates/lti.html                           |  2 +-
 .../bootstrap/navbar-authenticated.html          |  3 ++-
 .../navigation/navbar-authenticated.html         |  1 +
 lms/templates/navigation/navigation.html         |  4 ++--
 lms/templates/register-shib.html                 |  2 +-
 lms/templates/register.html                      |  2 +-
 lms/templates/signup_modal.html                  |  4 ++--
 .../student_account/account_settings.underscore  |  2 +-
 .../student_account/form_field.underscore        |  8 ++++----
 lms/templates/wiki/delete.html                   |  2 +-
 lms/templates/wiki/includes/cheatsheet.html      |  6 +++---
 openedx/core/djangoapps/api_admin/widgets.py     |  4 +++-
 openedx/core/djangoapps/user_api/api.py          | 16 ++++++++++++----
 .../core/djangoapps/user_api/tests/test_views.py | 14 +++++++-------
 .../user_authn/views/tests/test_views.py         |  2 +-
 openedx/core/lib/license/templates/license.html  |  2 +-
 openedx/features/enterprise_support/utils.py     |  2 +-
 .../templates/social_icons.underscore            |  2 +-
 .../learner-achievements-fragment.html           |  2 +-
 themes/edx.org/lms/templates/dashboard.html      |  2 +-
 .../templates/header/navbar-authenticated.html   |  6 ++----
 .../lms/templates/register-shib.html             |  2 +-
 61 files changed, 120 insertions(+), 103 deletions(-)

diff --git a/cms/static/js/base.js b/cms/static/js/base.js
index 0f7fa7f1da..7ef8b9f47c 100644
--- a/cms/static/js/base.js
+++ b/cms/static/js/base.js
@@ -97,7 +97,10 @@ define([
             // general link management - new window/tab
             $('a[rel="external"]:not([title])')
                 .attr('title', gettext('This link will open in a new browser window/tab'));
-            $('a[rel="external"]').attr('target', '_blank');
+            $('a[rel="external"]').attr({
+                rel: 'noopener external',
+                target: '_blank'
+            });
 
             // general link management - lean modal window
             $('a[rel="modal"]').attr('title', gettext('This link will open in a modal window')).leanModal({
diff --git a/cms/templates/container.html b/cms/templates/container.html
index ecaa9110e2..6de87b2b28 100644
--- a/cms/templates/container.html
+++ b/cms/templates/container.html
@@ -144,7 +144,7 @@ from openedx.core.djangolib.markup import HTML, Text
                         <p>${_("Confirm that you have properly configured content in each of your experiment groups.")}</p>
                     </div>
                     <div class="bit external-help">
-                        <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about component containers")}</a>
+                        <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about component containers")}</a>
                     </div>
                 % elif is_unit_page:
                     <div id="publish-unit"></div>
diff --git a/cms/templates/course-create-rerun.html b/cms/templates/course-create-rerun.html
index c8114a56a9..b8cdd06e88 100644
--- a/cms/templates/course-create-rerun.html
+++ b/cms/templates/course-create-rerun.html
@@ -148,7 +148,7 @@ from openedx.core.djangolib.js_utils import js_escaped_string
           </div>
 
           <div class="bit external-help">
-            <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about Course Re-runs")}</a>
+            <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about Course Re-runs")}</a>
           </div>
         </aside>
 
diff --git a/cms/templates/course_outline.html b/cms/templates/course_outline.html
index 5507ed75fa..44962ae6a6 100644
--- a/cms/templates/course_outline.html
+++ b/cms/templates/course_outline.html
@@ -164,7 +164,7 @@ from django.core.urlresolvers import reverse
                     <div style="width: 50%" class="status-studio-frontend">
                 % endif
                     <%static:studiofrontend entry="courseOutlineHealthCheck">
-                        <% 
+                        <%
                             course_key = context_course.id
                         %>
                         {
@@ -188,7 +188,7 @@ from django.core.urlresolvers import reverse
                                 "settings": ${reverse('settings_handler', kwargs={'course_key_string': unicode(course_key)})| n, dump_js_escaped_json}
                             }
                         }
-                    </%static:studiofrontend> 
+                    </%static:studiofrontend>
                 </div>
                 <div class="status-highlights-enabled"></div>
             </div>
@@ -218,14 +218,14 @@ from django.core.urlresolvers import reverse
                 <h3 class="title-3">${_("Reorganizing your course")}</h3>
                 <p>${_("Drag sections, subsections, and units to new locations in the outline.")}</p>
                 <div class="external-help">
-                    <a href="${get_online_help_info('outline')['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about the course outline")}</a>
+                    <a href="${get_online_help_info('outline')['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about the course outline")}</a>
                 </div>
             </div>
             <div class="bit">
                 <h3 class="title-3">${_("Setting release dates and grading policies")}</h3>
                 <p>${_("Select the Configure icon for a section or subsection to set its release date. When you configure a subsection, you can also set the grading policy and due date.")}</p>
                 <div class="external-help">
-                    <a href="${get_online_help_info('grading')['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about grading policy settings")}</a>
+                    <a href="${get_online_help_info('grading')['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about grading policy settings")}</a>
                 </div>
             </div>
             <div class="bit">
@@ -234,7 +234,7 @@ from django.core.urlresolvers import reverse
                 <p>${Text(_("To make a section, subsection, or unit unavailable to learners, select the Configure icon for that level, then select the appropriate {em_start}Hide{em_end} option. Grades for hidden sections, subsections, and units are not included in grade calculations.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
                 <p>${Text(_("To hide the content of a subsection from learners after the subsection due date has passed, select the Configure icon for a subsection, then select {em_start}Hide content after due date{em_end}. Grades for the subsection remain included in grade calculations.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
                 <div class="external-help">
-                    <a href="${get_online_help_info('visibility')['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about content visibility settings")}</a>
+                    <a href="${get_online_help_info('visibility')['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about content visibility settings")}</a>
                 </div>
             </div>
 
diff --git a/cms/templates/export.html b/cms/templates/export.html
index d0f546d633..bbc74c2046 100644
--- a/cms/templates/export.html
+++ b/cms/templates/export.html
@@ -235,7 +235,7 @@ else:
           <p>${_("Use an archive program to extract the data from the .tar.gz file. Extracted data includes the library.xml file, as well as subfolders that contain library content.")}</p>
       </div>
       <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about exporting a library")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about exporting a library")}</a>
       </div>
     </aside>
   %else:
@@ -269,7 +269,7 @@ else:
         <p>${_("Use an archive program to extract the data from the .tar.gz file. Extracted data includes the course.xml file, as well as subfolders that contain course content.")}</p>
       </div>
       <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about exporting a course")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about exporting a course")}</a>
       </div>
     </aside>
   %endif
diff --git a/cms/templates/group_configurations.html b/cms/templates/group_configurations.html
index 37bf796795..0e9708954c 100644
--- a/cms/templates/group_configurations.html
+++ b/cms/templates/group_configurations.html
@@ -86,7 +86,7 @@ from openedx.core.djangolib.markup import HTML, Text
             <p>${_("Enrollment track groups allow you to offer different course content to learners in each enrollment track. Learners enrolled in each enrollment track in your course are automatically included in the corresponding enrollment track group.")}</p>
             <p>${_("On unit pages in the course outline, you can restrict access to components to learners based on their enrollment track.")}</p>
             <p>${_("You cannot edit enrollment track groups, but you can expand each group to view details of the course content that is designated for learners in the group.")}</p>
-            <p><a href="${get_online_help_info(enrollment_track_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
+            <p><a href="${get_online_help_info(enrollment_track_help_token())['doc_url']} rel="noopener" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
           </div>
         </div>
       % endif
@@ -96,7 +96,7 @@ from openedx.core.djangolib.markup import HTML, Text
               <p>${_("If you have cohorts enabled in your course, you can use content groups to create cohort-specific courseware. In other words, you can customize the content that particular cohorts see in your course.")}</p>
               <p>${_("Each content group that you create can be associated with one or more cohorts. In addition to making course content available to all learners, you can restrict access to some content to learners in specific content groups. Only learners in the cohorts that are associated with the specified content groups see the additional content.")}</p>
               <p>${Text(_("Click {em_start}New content group{em_end} to add a new content group. To edit the name of a content group, hover over its box and click {em_start}Edit{em_end}. You can delete a content group only if it is not in use by a unit. To delete a content group, hover over its box and click the delete icon.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
-              <p><a href="${get_online_help_info(content_groups_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
+              <p><a href="${get_online_help_info(content_groups_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
           </div>
         </div>
       % if should_show_experiment_groups:
@@ -105,7 +105,7 @@ from openedx.core.djangolib.markup import HTML, Text
             <h3 class="title-3">${_("Experiment Group Configurations")}</h3>
             <p>${_("Use experiment group configurations if you are conducting content experiments, also known as A/B testing, in your course. Experiment group configurations define how many groups of learners are in a content experiment. When you create a content experiment for a course, you select the group configuration to use.")}</p>
             <p>${Text(_("Click {em_start}New Group Configuration{em_end} to add a new configuration. To edit a configuration, hover over its box and click {em_start}Edit{em_end}. You can delete a group configuration only if it is not in use in an experiment. To delete a configuration, hover over its box and click the delete icon.")).format(em_start=HTML("<strong>"), em_end=HTML("</strong>"))}</p>
-            <p><a href="${get_online_help_info(experiment_group_configurations_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
+            <p><a href="${get_online_help_info(experiment_group_configurations_help_token())['doc_url']}" rel="noopener"  target="_blank" class="button external-help-button">${_("Learn More")}</a></p>
           </div>
         </div>
       % endif
diff --git a/cms/templates/import.html b/cms/templates/import.html
index 38678c0562..d37aa30f88 100644
--- a/cms/templates/import.html
+++ b/cms/templates/import.html
@@ -213,7 +213,7 @@ else:
           <p>${_("If you change and import a library that is referenced by randomized content blocks in one or more courses, those courses do not automatically use the updated content. You must manually refresh the randomized content blocks to bring them up to date with the latest library content.")}</p>
       </div>
       <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about importing a library")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about importing a library")}</a>
       </div>
     </aside>
   %else:
@@ -245,7 +245,7 @@ else:
         <p>${_("If you perform an import while your course is running, and you change the URL names (or url_name nodes) of any Problem components, the student data associated with those Problem components may be lost. This data includes students' problem scores.")}</p>
       </div>
       <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about importing a course")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about importing a course")}</a>
       </div>
     </aside>
   %endif
diff --git a/cms/templates/index.html b/cms/templates/index.html
index ff2b595167..39b193ead7 100644
--- a/cms/templates/index.html
+++ b/cms/templates/index.html
@@ -519,7 +519,7 @@ from openedx.core.djangolib.js_utils import (
         <ol class="list-actions">
           <li class="action-item">
 
-            <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank">${_("Getting Started with {studio_name}").format(studio_name=settings.STUDIO_NAME)}</a>
+            <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank">${_("Getting Started with {studio_name}").format(studio_name=settings.STUDIO_NAME)}</a>
           </li>
         </ol>
       </div>
diff --git a/cms/templates/js/add-xblock-component-support-legend.underscore b/cms/templates/js/add-xblock-component-support-legend.underscore
index e3338da691..483e786581 100644
--- a/cms/templates/js/add-xblock-component-support-legend.underscore
+++ b/cms/templates/js/add-xblock-component-support-legend.underscore
@@ -1,7 +1,7 @@
 <% if (support_legend.show_legend) { %>
     <span class="support-documentation">
         <a class="support-documentation-link"
-           href="https://edx.readthedocs.io/projects/edx-partner-course-staff/en/latest/exercises_tools/create_exercises_and_tools.html#levels-of-support-for-tools" target="_blank">
+           href="https://edx.readthedocs.io/projects/edx-partner-course-staff/en/latest/exercises_tools/create_exercises_and_tools.html#levels-of-support-for-tools" rel="noopener" target="_blank">
             <%- support_legend.documentation_label %>
         </a>
         <span class="support-documentation-level">
diff --git a/cms/templates/js/course-highlights-enable.underscore b/cms/templates/js/course-highlights-enable.underscore
index 885b64bc5f..2b3ea55d5c 100644
--- a/cms/templates/js/course-highlights-enable.underscore
+++ b/cms/templates/js/course-highlights-enable.underscore
@@ -8,5 +8,5 @@
 <% } else { %>
   <button class="status-highlights-enabled-value button" aria-labelledby="highlights-enabled-label"><%- gettext('Enable Now') %></button>
 <% } %>
-<a class="status-highlights-enabled-info" href="<%- highlights_doc_url %>" target="_blank">Learn more</a>
+<a class="status-highlights-enabled-info" href="<%- highlights_doc_url %>" rel="noopener" target="_blank">Learn more</a>
 </div>
diff --git a/cms/templates/js/highlights-enable-editor.underscore b/cms/templates/js/highlights-enable-editor.underscore
index de8ee87989..9541113072 100644
--- a/cms/templates/js/highlights-enable-editor.underscore
+++ b/cms/templates/js/highlights-enable-editor.underscore
@@ -15,7 +15,7 @@
     ),
     {
         linkStart: edx.HtmlUtils.interpolateHtml(
-            edx.HtmlUtils.HTML('<a href="{highlightsDocUrl}" target="_blank">'),
+            edx.HtmlUtils.HTML('<a href="{highlightsDocUrl}" rel="noopener" target="_blank">'),
             {highlightsDocUrl: xblockInfo.attributes.highlights_doc_url}
         ),
         linkEnd: edx.HtmlUtils.HTML('</a>')
diff --git a/cms/templates/js/license-selector.underscore b/cms/templates/js/license-selector.underscore
index 2245f7deb0..6bf3c97806 100644
--- a/cms/templates/js/license-selector.underscore
+++ b/cms/templates/js/license-selector.underscore
@@ -3,7 +3,7 @@
         <%- gettext("License Type") %>
     </h3>
     <ul class="license-types">
-        <% var link_start_tpl = '<a href="{url}" target="_blank">'; %>
+        <% var link_start_tpl = '<a href="{url}" rel="noopener" target="_blank">'; %>
         <% _.each(licenseInfo, function(license, licenseType) { %>
             <li class="license-type" data-license="<%- licenseType %>">
                 <button name="license-<%- licenseType %>"
diff --git a/cms/templates/library.html b/cms/templates/library.html
index e3a3b17aa8..83d6500bc8 100644
--- a/cms/templates/library.html
+++ b/cms/templates/library.html
@@ -98,7 +98,7 @@ from openedx.core.djangolib.markup import HTML, Text
                 </div>
                 % endif
                 <div class="bit external-help">
-                    <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about content libraries")}</a>
+                    <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about content libraries")}</a>
                 </div>
             </div>
         </div>
diff --git a/cms/templates/textbooks.html b/cms/templates/textbooks.html
index 7cd12cbc7e..3e21192193 100644
--- a/cms/templates/textbooks.html
+++ b/cms/templates/textbooks.html
@@ -67,7 +67,7 @@ CMS.URL.LMS_BASE = "${settings.LMS_BASE | n, js_escaped_string}"
         </div>
 
         <div class="bit external-help">
-          <a href="${get_online_help_info(online_help_token())['doc_url']}" target="_blank" class="button external-help-button">${_("Learn more about textbooks")}</a>
+          <a href="${get_online_help_info(online_help_token())['doc_url']}" rel="noopener" target="_blank" class="button external-help-button">${_("Learn more about textbooks")}</a>
         </div>
       </aside>
     </section>
diff --git a/cms/templates/ux/reference/fragments/course-settings.html b/cms/templates/ux/reference/fragments/course-settings.html
index c6549ac5b4..13ae79e157 100644
--- a/cms/templates/ux/reference/fragments/course-settings.html
+++ b/cms/templates/ux/reference/fragments/course-settings.html
@@ -41,7 +41,7 @@
             <h3 class="title">Course Summary Page <span class="tip">(for student enrollment and access)</span></h3>
             <div class="copy">
 
-              <p><a class="link-courseURL" rel="external" href="http://localhost:8000/courses/course-v1:AndyA+AA101+1/about" title="This link will open in a new browser window/tab" target="_blank">http://localhost:8000/courses/course-v1:AndyA+AA101+1/about</a></p>
+              <p><a class="link-courseURL" rel="external" href="http://localhost:8000/courses/course-v1:AndyA+AA101+1/about" title="This link will open in a new browser window/tab" rel="noopener" target="_blank">http://localhost:8000/courses/course-v1:AndyA+AA101+1/about</a></p>
             </div>
 
             <ul class="list-actions">
@@ -351,7 +351,7 @@
                   <label class="sr" for="course-overview-cm-textarea">
                     HTML Code Editor
                   </label>
-                  <span class="tip tip-stacked">Introductions, prerequisites, FAQs that are used on <a class="link-courseURL" rel="external" href="http://localhost:8000/courses/course-v1:AndyA+AA101+1/about" title="This link will open in a new browser window/tab" target="_blank">your course summary page</a> (formatted in HTML)</span>
+                  <span class="tip tip-stacked">Introductions, prerequisites, FAQs that are used on <a class="link-courseURL" rel="external" href="http://localhost:8000/courses/course-v1:AndyA+AA101+1/about" title="This link will open in a new browser window/tab" rel="noopener" target="_blank">your course summary page</a> (formatted in HTML)</span>
                 </li>
 
                 <li class="field image" id="field-course-image">
@@ -465,7 +465,7 @@
                 </button>
                 <p class="tip">
 
-                        <a href="https://creativecommons.org/about" target="_blank">
+                        <a href="https://creativecommons.org/about" rel="noopener" target="_blank">
                             Learn more about Creative Commons
                         </a>
 
diff --git a/cms/templates/widgets/header.html b/cms/templates/widgets/header.html
index 1b69f2411e..da845383fd 100644
--- a/cms/templates/widgets/header.html
+++ b/cms/templates/widgets/header.html
@@ -220,7 +220,7 @@
         <h2 class="sr-only">${_("Account Navigation")}</h2>
         <ol>
           <li class="nav-item nav-account-help">
-            <h3 class="title"><span class="label"><a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" target="_blank">${_("Help")}</a></span></h3>
+            <h3 class="title"><span class="label"><a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" rel="noopener" target="_blank">${_("Help")}</a></span></h3>
           </li>
           <li class="nav-item nav-account-user">
             <%include file="user_dropdown.html" args="online_help_token=online_help_token" />
@@ -236,7 +236,7 @@
         <h2 class="sr-only">${_("Account Navigation")}</h2>
         <ol>
           <li class="nav-item nav-not-signedin-help">
-            <a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" target="_blank">${_("Help")}</a>
+            <a href="${get_online_help_info(online_help_token)['doc_url']}" title="${_('Contextual Online Help')}" rel="noopener" target="_blank">${_("Help")}</a>
           </li>
           % if static.get_value('ALLOW_PUBLIC_ACCOUNT_CREATION', settings.FEATURES.get('ALLOW_PUBLIC_ACCOUNT_CREATION')):
               <li class="nav-item nav-not-signedin-signup">
diff --git a/common/lib/xmodule/xmodule/lti_module.py b/common/lib/xmodule/xmodule/lti_module.py
index b439f335ae..01753cb0d0 100644
--- a/common/lib/xmodule/xmodule/lti_module.py
+++ b/common/lib/xmodule/xmodule/lti_module.py
@@ -85,7 +85,7 @@ from openedx.core.djangolib.markup import HTML, Text
 log = logging.getLogger(__name__)
 
 DOCS_ANCHOR_TAG_OPEN = (
-    "<a target='_blank' "
+    "<a rel='noopener' target='_blank' "
     "href='https://edx.readthedocs.io/projects/edx-partner-course-staff/en/latest/exercises_tools/lti_component.html'>"
 )
 BREAK_TAG = '<br />'
diff --git a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
index 177f365782..fe8a7d1cb8 100644
--- a/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
+++ b/lms/djangoapps/instructor/tests/views/test_instructor_dashboard.py
@@ -92,14 +92,14 @@ class TestInstructorDashboard(ModuleStoreTestCase, LoginEnrollmentTestCase, XssT
         Returns expected dashboard enrollment message with link to Insights.
         """
         return u'Enrollment data is now available in <a href="http://example.com/courses/{}" ' \
-               'target="_blank">Example</a>.'.format(text_type(self.course.id))
+               'rel="noopener" target="_blank">Example</a>.'.format(text_type(self.course.id))
 
     def get_dashboard_analytics_message(self):
         """
         Returns expected dashboard demographic message with link to Insights.
         """
         return u'For analytics about your course, go to <a href="http://example.com/courses/{}" ' \
-               'target="_blank">Example</a>.'.format(text_type(self.course.id))
+               'rel="noopener" target="_blank">Example</a>.'.format(text_type(self.course.id))
 
     def test_instructor_tab(self):
         """
diff --git a/lms/djangoapps/instructor/views/instructor_dashboard.py b/lms/djangoapps/instructor/views/instructor_dashboard.py
index 0c596b73bf..93da9f22d7 100644
--- a/lms/djangoapps/instructor/views/instructor_dashboard.py
+++ b/lms/djangoapps/instructor/views/instructor_dashboard.py
@@ -140,7 +140,7 @@ def instructor_dashboard_2(request, course_id):
     if show_analytics_dashboard_message(course_key):
         # Construct a URL to the external analytics dashboard
         analytics_dashboard_url = '{0}/courses/{1}'.format(settings.ANALYTICS_DASHBOARD_URL, six.text_type(course_key))
-        link_start = HTML(u"<a href=\"{}\" target=\"_blank\">").format(analytics_dashboard_url)
+        link_start = HTML(u"<a href=\"{}\" rel=\"noopener\" target=\"_blank\">").format(analytics_dashboard_url)
         analytics_dashboard_message = _(
             u"To gain insights into student enrollment and participation {link_start}"
             u"visit {analytics_dashboard_name}, our new course analytics product{link_end}."
@@ -773,7 +773,7 @@ def _section_send_email(course, access):
 def _get_dashboard_link(course_key):
     """ Construct a URL to the external analytics dashboard """
     analytics_dashboard_url = u'{0}/courses/{1}'.format(settings.ANALYTICS_DASHBOARD_URL, six.text_type(course_key))
-    link = HTML(u"<a href=\"{0}\" target=\"_blank\">{1}</a>").format(
+    link = HTML(u"<a href=\"{0}\" rel=\"noopener\" target=\"_blank\">{1}</a>").format(
         analytics_dashboard_url, settings.ANALYTICS_DASHBOARD_NAME
     )
     return link
diff --git a/lms/static/js/instructor_dashboard/util.js b/lms/static/js/instructor_dashboard/util.js
index 3104c055e3..1d44873bdd 100644
--- a/lms/static/js/instructor_dashboard/util.js
+++ b/lms/static/js/instructor_dashboard/util.js
@@ -504,7 +504,7 @@
                     cssClass: 'file-download-link',
                     formatter: function(row, cell, value, columnDef, dataContext) {
                         return edx.HtmlUtils.joinHtml(edx.HtmlUtils.HTML(
-                            '<a target="_blank" href="'), dataContext.url,
+                            '<a rel="noopener" target="_blank" href="'), dataContext.url,
                             edx.HtmlUtils.HTML('">'), dataContext.name,
                             edx.HtmlUtils.HTML('</a>'));
                     }
diff --git a/lms/static/js/student_account/components/StudentAccountDeletion.jsx b/lms/static/js/student_account/components/StudentAccountDeletion.jsx
index 0cf71ea144..e925d5455f 100644
--- a/lms/static/js/student_account/components/StudentAccountDeletion.jsx
+++ b/lms/static/js/student_account/components/StudentAccountDeletion.jsx
@@ -41,7 +41,7 @@ export class StudentAccountDeletion extends React.Component {
     const loseAccessText = StringUtils.interpolate(
       gettext('You may also lose access to verified certificates and other program credentials like MicroMasters certificates. If you want to make a copy of these for your records before proceeding with deletion, follow the instructions for {htmlStart}printing or downloading a certificate{htmlEnd}.'),
       {
-        htmlStart: '<a href="https://edx.readthedocs.io/projects/edx-guide-for-students/en/latest/SFD_certificates.html#printing-a-certificate" target="_blank">',
+        htmlStart: '<a href="https://edx.readthedocs.io/projects/edx-guide-for-students/en/latest/SFD_certificates.html#printing-a-certificate" rel="noopener" target="_blank">',
         htmlEnd: '</a>',
       },
     );
@@ -51,7 +51,7 @@ export class StudentAccountDeletion extends React.Component {
     const socialAuthError = StringUtils.interpolate(
       gettext('Before proceeding, please {htmlStart}unlink all social media accounts{htmlEnd}.'),
       {
-        htmlStart: '<a href="https://support.edx.org/hc/en-us/articles/207206067" target="_blank">',
+        htmlStart: '<a href="https://support.edx.org/hc/en-us/articles/207206067" rel="noopener" target="_blank">',
         htmlEnd: '</a>',
       },
     );
@@ -59,7 +59,7 @@ export class StudentAccountDeletion extends React.Component {
     const activationError = StringUtils.interpolate(
       gettext('Before proceeding, please {htmlStart}activate your account{htmlEnd}.'),
       {
-        htmlStart: '<a href="https://support.edx.org/hc/en-us/articles/115000940568-How-do-I-activate-my-account-" target="_blank">',
+        htmlStart: '<a href="https://support.edx.org/hc/en-us/articles/115000940568-How-do-I-activate-my-account-" rel="noopener" target="_blank">',
         htmlEnd: '</a>',
       },
     );
@@ -67,7 +67,7 @@ export class StudentAccountDeletion extends React.Component {
     const changeAcctInfoText = StringUtils.interpolate(
       gettext('{htmlStart}Want to change your email, name, or password instead?{htmlEnd}'),
       {
-        htmlStart: '<a href="https://support.edx.org/hc/en-us/sections/115004139268-Manage-Your-Account-Settings" target="_blank">',
+        htmlStart: '<a href="https://support.edx.org/hc/en-us/sections/115004139268-Manage-Your-Account-Settings" rel="noopener" target="_blank">',
         htmlEnd: '</a>',
       },
     );
diff --git a/lms/static/js/student_account/components/StudentAccountDeletionModal.jsx b/lms/static/js/student_account/components/StudentAccountDeletionModal.jsx
index e2e2b301a0..fef4a3b2f9 100644
--- a/lms/static/js/student_account/components/StudentAccountDeletionModal.jsx
+++ b/lms/static/js/student_account/components/StudentAccountDeletionModal.jsx
@@ -96,7 +96,7 @@ class StudentAccountDeletionConfirmationModal extends React.Component {
     const loseAccessText = StringUtils.interpolate(
       gettext('You may also lose access to verified certificates and other program credentials like MicroMasters certificates. If you want to make a copy of these for your records before proceeding with deletion, follow the instructions for {htmlStart}printing or downloading a certificate{htmlEnd}.'),
       {
-        htmlStart: '<a href="https://edx.readthedocs.io/projects/edx-guide-for-students/en/latest/SFD_certificates.html#printing-a-certificate" target="_blank">',
+        htmlStart: '<a href="https://edx.readthedocs.io/projects/edx-guide-for-students/en/latest/SFD_certificates.html#printing-a-certificate" rel="noopener" target="_blank">',
         htmlEnd: '</a>',
       },
     );
diff --git a/lms/static/js/student_account/views/RegisterView.js b/lms/static/js/student_account/views/RegisterView.js
index 70191b66e2..c0ae569e8f 100644
--- a/lms/static/js/student_account/views/RegisterView.js
+++ b/lms/static/js/student_account/views/RegisterView.js
@@ -262,7 +262,7 @@
                     $('label a').click(function(ev) {
                         ev.stopPropagation();
                         ev.preventDefault();
-                        window.open($(this).attr('href'), $(this).attr('target'));
+                        window.open($(this).attr('href'), $(this).attr('target'), 'noopener');
                     });
                     $('.form-field').each(function() {
                         $(this).find('option:first').html('');
diff --git a/lms/templates/api_admin/catalogs/edit.html b/lms/templates/api_admin/catalogs/edit.html
index 713fd6b805..93f41c1ebf 100644
--- a/lms/templates/api_admin/catalogs/edit.html
+++ b/lms/templates/api_admin/catalogs/edit.html
@@ -25,7 +25,7 @@ from openedx.core.djangolib.js_utils import js_escaped_string
   <h1 id="api-header">${catalog.name}</h1>
 
   <p>
-    <a href="${'{root}/{id}/csv/'.format(root=catalog_api_catalog_endpoint, id=catalog.id)}" target="_blank">
+    <a href="${'{root}/{id}/csv/'.format(root=catalog_api_catalog_endpoint, id=catalog.id)}" rel="noopener" target="_blank">
       ${_("Download CSV")}
     </a>
   </p>
diff --git a/lms/templates/api_admin/catalogs/list.html b/lms/templates/api_admin/catalogs/list.html
index ae7e9df906..e463fca319 100644
--- a/lms/templates/api_admin/catalogs/list.html
+++ b/lms/templates/api_admin/catalogs/list.html
@@ -28,7 +28,7 @@ CatalogPreviewFactory({
     <li>
       <a href="${reverse('api_admin:catalog-edit', args=(catalog.id,))}">${catalog.name}</a>&nbsp;
       (<a
-          href="${'{root}/{id}/csv/'.format(root=catalog_api_catalog_endpoint, id=catalog.id)}"
+          href="${'{root}/{id}/csv/'.format(root=catalog_api_catalog_endpoint, id=catalog.id)}" rel="noopener"
           target="_blank">${_("Download CSV")}</a>)
     </li>
     % endfor
diff --git a/lms/templates/certificates/_accomplishment-banner.html b/lms/templates/certificates/_accomplishment-banner.html
index 1de1e5fdd7..ab39759653 100644
--- a/lms/templates/certificates/_accomplishment-banner.html
+++ b/lms/templates/certificates/_accomplishment-banner.html
@@ -25,7 +25,7 @@ from openedx.core.djangolib.js_utils import js_escaped_string
                   social_network: 'LinkedIn'
               };
               Logger.log('edx.certificate.shared', data);
-              window.open('${linked_in_url | n, js_escaped_string}');
+              window.open('${linked_in_url | n, js_escaped_string}', '', 'noopener');
           });
       });
 
@@ -33,7 +33,9 @@ from openedx.core.djangolib.js_utils import js_escaped_string
           // popup a window at center of the screen.
           var left = (screen.width/2)-(width/2);
           var top = (screen.height/2)-(height/2);
-          return window.open(url, title, 'toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width='+width+', height='+height+', top='+top+', left='+left);
+          var popupWindow = window.open(url, title, 'toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width='+width+', height='+height+', top='+top+', left='+left);
+          popupWindow.opener = null;
+          return popupWindow;
       }
   </script>
 </%block>
diff --git a/lms/templates/certificates/_badges-modal.html b/lms/templates/certificates/_badges-modal.html
index 70a24e785f..9d7696c752 100644
--- a/lms/templates/certificates/_badges-modal.html
+++ b/lms/templates/certificates/_badges-modal.html
@@ -13,9 +13,9 @@
         <hr class="modal-hr"/>
         <img class="backpack-logo" src="${static.url('certificates/images/backpack-logo.png')}">
         <ol class="badges-steps">
-            <li class="step">Create a <a href="https://backpack.openbadges.org/" target="_blank">Mozilla Backpack</a> account, or log in to your existing account
+            <li class="step">Create a <a href="https://backpack.openbadges.org/" rel="noopener" target="_blank">Mozilla Backpack</a> account, or log in to your existing account
             </li>
-            <li class="step"><a href="${badge.image_url}" target="_blank">Download this image (right-click, save as)</a> and then <a href="https://backpack.openbadges.org/backpack/add" target="_blank">upload</a> it to your backpack.</li>
+            <li class="step"><a href="${badge.image_url}" rel="noopener" target="_blank">Download this image (right-click, save as)</a> and then <a href="https://backpack.openbadges.org/backpack/add" target="_blank">upload</a> it to your backpack.</li>
         </ol>
         <div class="image-container">
             <img class="badges-backpack-example" src="${static.url('certificates/images/backpack-ui.png')}">
diff --git a/lms/templates/courseware/progress.html b/lms/templates/courseware/progress.html
index 55895e5ed8..580a97f307 100644
--- a/lms/templates/courseware/progress.html
+++ b/lms/templates/courseware/progress.html
@@ -80,9 +80,9 @@ username = get_enterprise_learner_generic_name(request) or student.username
                                 </div>
                                 <div class="msg-actions">
                                     %if certificate_data.cert_web_view_url:
-                                    <a class="btn" href="${certificate_data.cert_web_view_url}" target="_blank">${_("View Certificate")} <span class="sr">${_("Opens in a new browser window")}</span></a>
+                                    <a class="btn" href="${certificate_data.cert_web_view_url}" rel="noopener" target="_blank">${_("View Certificate")} <span class="sr">${_("Opens in a new browser window")}</span></a>
                                     %elif certificate_data.cert_status == CertificateStatuses.downloadable and certificate_data.download_url:
-                                    <a class="btn" href="${certificate_data.download_url}" target="_blank">${_("Download Your Certificate")} <span class="sr">${_("Opens in a new browser window")}</span></a>
+                                    <a class="btn" href="${certificate_data.download_url}" rel="noopener" target="_blank">${_("Download Your Certificate")} <span class="sr">${_("Opens in a new browser window")}</span></a>
                                     %elif certificate_data.cert_status == CertificateStatuses.requesting:
                                     <button class="btn generate_certs" data-endpoint="${post_url}" id="btn_generate_cert">${_('Request Certificate')}</button>
                                     %endif
diff --git a/lms/templates/credit_notifications/credit_eligibility_email.html b/lms/templates/credit_notifications/credit_eligibility_email.html
index 9244160284..3a91f26ca4 100644
--- a/lms/templates/credit_notifications/credit_eligibility_email.html
+++ b/lms/templates/credit_notifications/credit_eligibility_email.html
@@ -19,7 +19,7 @@
       <table>
         <tr>
           <td class="cn-img-wrapper">
-            <a target="_blank" title="" href="#">
+            <a rel="noopener" target="_blank" title="" href="#">
               <img class="cn-img" src="cid:${branded_logo}">
             </a>
           </td>
diff --git a/lms/templates/dashboard.html b/lms/templates/dashboard.html
index 6451c814b0..06af263467 100644
--- a/lms/templates/dashboard.html
+++ b/lms/templates/dashboard.html
@@ -297,7 +297,7 @@ from student.models import CourseEnrollment
                 <li class="order-history">
                   <span class="title">${_("Order History")}</span>
                   % for order_history_item in order_history_list:
-                    <span><a href="${order_history_item['receipt_url']}" target="_blank" class="edit-name">${order_history_item['order_date']}</a></span>
+                    <span><a href="${order_history_item['receipt_url']}" rel="noopener" target="_blank" class="edit-name">${order_history_item['order_date']}</a></span>
                   % endfor
                 </li>
                 % endif
diff --git a/lms/templates/dashboard/_dashboard_certificate_information.html b/lms/templates/dashboard/_dashboard_certificate_information.html
index 99820d8f33..651f80cd9e 100644
--- a/lms/templates/dashboard/_dashboard_certificate_information.html
+++ b/lms/templates/dashboard/_dashboard_certificate_information.html
@@ -82,7 +82,7 @@ else:
               </li>
             % elif cert_status['status'] == 'downloadable' and cert_status.get('show_cert_web_view', False):
               <li class="action action-certificate">
-                <a class="btn" href="${cert_status['cert_web_view_url']}" target="_blank"
+                <a class="btn" href="${cert_status['cert_web_view_url']}" rel="noopener" target="_blank"
                    title="${_('This link will open the certificate web view')}">
                   ${_("View {cert_name_short}").format(cert_name_short=cert_name_short,)}
                 </a>
@@ -123,7 +123,7 @@ else:
         % if cert_status['status'] == 'downloadable' and cert_status['linked_in_url']:
           <ul class="actions actions-secondary">
               <li class="action action-share">
-                <a class="action-linkedin-profile" target="_blank" href="${cert_status['linked_in_url']}"
+                <a class="action-linkedin-profile" rel="noopener" target="_blank" href="${cert_status['linked_in_url']}"
                  title="${_('Add Certificate to LinkedIn Profile')}"
                  data-course-id="${course_overview.id}"
                  data-certificate-mode="${cert_status['mode']}"
diff --git a/lms/templates/dashboard/_dashboard_course_listing.html b/lms/templates/dashboard/_dashboard_course_listing.html
index 44c7861c18..df02c0d11d 100644
--- a/lms/templates/dashboard/_dashboard_course_listing.html
+++ b/lms/templates/dashboard/_dashboard_course_listing.html
@@ -236,10 +236,11 @@ from util.course import get_link_for_about_page, get_encoded_course_sharing_utm_
                           data-trigger="focus hover"
                           class="action action-facebook"
                           href="${facebook_url}"
+                          rel="noopener"
                           target="_blank"
                           title="${_('Share on Facebook')}"
                           data-course-id="${course_overview.id}"
-                          onclick="window.open('${facebook_url}', '${share_window_name}', '${share_window_config}'); return false;">
+                          onclick="var popupWindow = window.open('${facebook_url}', '${share_window_name}', '${share_window_config}'); popupWindow.opener = null; return false;">
                           <span class="sr">${share_msg}</span>
                           <span class="fa fa-facebook" aria-hidden="true"></span>
                         </a>
@@ -257,10 +258,11 @@ from util.course import get_link_for_about_page, get_encoded_course_sharing_utm_
                           data-trigger="focus hover"
                           class="action action-twitter"
                           href="${twitter_url}"
+                          rel="noopener"
                           target="_blank"
                           title="${_('Share on Twitter')}"
                           data-course-id="${course_overview.id}"
-                          onclick="window.open('${twitter_url}', '${share_window_name}', '${share_window_config}'); return false;">
+                          onclick="var popupWindow = window.open('${twitter_url}', '${share_window_name}', '${share_window_config}'); popupWindow.opener = null; return false;">
                           <span class="sr">${share_msg}</span>
                           <span class="fa fa-twitter" aria-hidden="true"></span>
                         </a>
diff --git a/lms/templates/dashboard/_dashboard_credit_info.html b/lms/templates/dashboard/_dashboard_credit_info.html
index b4f7622a64..eaac92e7b2 100644
--- a/lms/templates/dashboard/_dashboard_credit_info.html
+++ b/lms/templates/dashboard/_dashboard_credit_info.html
@@ -8,7 +8,7 @@
 
 % if credit_status["eligible"]:
     <%
-        provider_link = HTML('<a href="{href}" target="_blank">{name}</a>').format(
+        provider_link = HTML('<a href="{href}" rel="noopener" target="_blank">{name}</a>').format(
             href=credit_status["provider_status_url"],
             name=credit_status["provider_name"])
 
@@ -85,7 +85,7 @@
         </p>
         <div class="credit-action">
             % if credit_btn_label:
-                <a class="btn credit-btn ${credit_btn_class}" href="${credit_btn_href}" target="_blank" data-course-key="${credit_status['course_key']}" data-user="${user.username}" data-provider="${credit_status['provider_id']}">
+                <a class="btn credit-btn ${credit_btn_class}" href="${credit_btn_href}" rel="noopener" target="_blank" data-course-key="${credit_status['course_key']}" data-user="${user.username}" data-provider="${credit_status['provider_id']}">
                     ${credit_btn_label}
                 </a>
             % endif
diff --git a/lms/templates/fields/field_order_history.underscore b/lms/templates/fields/field_order_history.underscore
index 5d1aed8233..d60a9cbb4a 100644
--- a/lms/templates/fields/field_order_history.underscore
+++ b/lms/templates/fields/field_order_history.underscore
@@ -4,7 +4,7 @@
     <span class="u-field-order-price"><span class="sr"><%- gettext('Cost') %>: </span><% if (!isNaN(parseFloat(totalPrice))) { %>$<% } %><%- totalPrice %></span>
     <span class="u-field-order-link">
         <% if (receiptUrl) { %>
-            <a class="u-field-link" target="_blank" href="<%- receiptUrl %>"><%- gettext('Order Details') %><span class="sr"> <%- gettext('for') %> <%- orderId %></span></a>
+            <a class="u-field-link" target="_blank" rel="noopener" href="<%- receiptUrl %>"><%- gettext('Order Details') %><span class="sr"> <%- gettext('for') %> <%- orderId %></span></a>
         <% } %>
     </span>
     <% _.each(lines, function(item){ %>
diff --git a/lms/templates/header/header.html b/lms/templates/header/header.html
index b65d7ce96e..22aeea96ea 100644
--- a/lms/templates/header/header.html
+++ b/lms/templates/header/header.html
@@ -81,8 +81,8 @@ from openedx.core.djangoapps.site_configuration import helpers as configuration_
 <div class="ie-banner" aria-hidden="true">${Text(_('{begin_strong}Warning:{end_strong} Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.')).format(
     begin_strong=HTML('<strong>'),
     end_strong=HTML('</strong>'),
-    chrome_link=HTML('<a href="https://www.google.com/chrome" target="_blank">Chrome</a>'),
-    ff_link=HTML('<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>'),
+    chrome_link=HTML('<a href="https://www.google.com/chrome" rel="noopener" target="_blank">Chrome</a>'),
+    ff_link=HTML('<a href="http://www.mozilla.org/firefox" rel="noopener" target="_blank">Firefox</a>'),
 )}</div>
 <![endif]-->
 % endif
diff --git a/lms/templates/header/navbar-authenticated.html b/lms/templates/header/navbar-authenticated.html
index ceb57b1293..82d4cda9ee 100644
--- a/lms/templates/header/navbar-authenticated.html
+++ b/lms/templates/header/navbar-authenticated.html
@@ -68,7 +68,7 @@ from openedx.core.djangoapps.site_configuration import helpers as configuration_
       </div>
     % endif
     <div class="mobile-nav-item hidden-mobile nav-item">
-      <a class="help-link" href="${help_link}" target="_blank">${_("Help")}</a>
+      <a class="help-link" href="${help_link}" rel="noopener" target="_blank">${_("Help")}</a>
     </div>
     <%include file="user_dropdown.html"/>
   </div>
diff --git a/lms/templates/instructor/instructor_dashboard_2/cohort-group-header.underscore b/lms/templates/instructor/instructor_dashboard_2/cohort-group-header.underscore
index e0bdace9a6..4180dff101 100644
--- a/lms/templates/instructor/instructor_dashboard_2/cohort-group-header.underscore
+++ b/lms/templates/instructor/instructor_dashboard_2/cohort-group-header.underscore
@@ -12,10 +12,10 @@
     <div class="setup-value">
         <% if (cohort.get('assignment_type') == "manual") { %>
             <%- gettext("Learners are added to this cohort only when you provide their email addresses or usernames on this page.") %>
-            <a href="/help_token/cohortmanual" class="incontext-help action-secondary action-help" target="_blank"><%- gettext("What does this mean?") %></a>
+            <a href="/help_token/cohortmanual" class="incontext-help action-secondary action-help" rel="noopener" target="_blank"><%- gettext("What does this mean?") %></a>
         <% } else { %>
             <%- gettext("Learners are added to this cohort automatically.") %>
-            <a href="/help_token/cohortautomatic" class="incontext-help action-secondary action-help" target="_blank"><%- gettext("What does this mean?") %></a>
+            <a href="/help_token/cohortautomatic" class="incontext-help action-secondary action-help" rel="noopener" target="_blank"><%- gettext("What does this mean?") %></a>
         <% } %>
     </div>
 </div>
diff --git a/lms/templates/instructor/instructor_dashboard_2/instructor_analytics.html b/lms/templates/instructor/instructor_dashboard_2/instructor_analytics.html
index d51ce38aae..1e528699da 100644
--- a/lms/templates/instructor/instructor_dashboard_2/instructor_analytics.html
+++ b/lms/templates/instructor/instructor_dashboard_2/instructor_analytics.html
@@ -11,7 +11,7 @@ from openedx.core.djangolib.markup import HTML, Text
     <p>
         <em>
             ${Text(_("For analytics about your course, go to {link_start}{analytics_dashboard_name}{link_end}.")).format(
-                link_start=HTML('<a href="{dashboard_url}" target="_blank">').format(
+                link_start=HTML('<a href="{dashboard_url}" rel="noopener" target="_blank">').format(
                     dashboard_url=escape_uri_path('{base_url}/courses/{course_id}'.format(
                         base_url=settings.ANALYTICS_DASHBOARD_URL,
                         course_id=section_data['course_id'],
diff --git a/lms/templates/login.html b/lms/templates/login.html
index c2d2b90e45..9719250177 100644
--- a/lms/templates/login.html
+++ b/lms/templates/login.html
@@ -33,7 +33,7 @@ from openedx.core.djangolib.js_utils import js_escaped_string, dump_js_escaped_j
       // new window/tab opening
       $('a[rel="external"], a[class="new-vp"]')
       .click( function() {
-        window.open( $(this).attr('href') );
+        window.open( $(this).attr('href'), '', 'noopener' );
         return false;
       });
 
diff --git a/lms/templates/lti.html b/lms/templates/lti.html
index 486c5d652d..c3b99a06d5 100644
--- a/lms/templates/lti.html
+++ b/lms/templates/lti.html
@@ -34,7 +34,7 @@ from django.utils.translation import ugettext as _
             % if description:
                 <div class="lti-description">${description}</div>
             % endif
-            <p class="lti-link external"><a target="_blank" class="link_lti_new_window" href="${form_url}">
+            <p class="lti-link external"><a target="_blank" class="link_lti_new_window" rel="noopener" href="${form_url}">
                 ${button_text or _('View resource in a new window')}
                  <span class="icon fa fa-external-link" aria-hidden="true"></span>
             </a></p>
diff --git a/lms/templates/navigation/bootstrap/navbar-authenticated.html b/lms/templates/navigation/bootstrap/navbar-authenticated.html
index 084db34f64..e3b709f33e 100644
--- a/lms/templates/navigation/bootstrap/navbar-authenticated.html
+++ b/lms/templates/navigation/bootstrap/navbar-authenticated.html
@@ -65,7 +65,8 @@ from django.utils.translation import ugettext as _
 
     <li class="nav-item mt-2 nav-item-open-collapsed">
       <a href="${get_online_help_info(online_help_token)['doc_url']}"
-       target="_blank"
+      rel="noopener" 
+      target="_blank"
        class="nav-link">${_("Help")}</a>
     </li>
 
diff --git a/lms/templates/navigation/navbar-authenticated.html b/lms/templates/navigation/navbar-authenticated.html
index 367cd5fe68..ab01763666 100644
--- a/lms/templates/navigation/navbar-authenticated.html
+++ b/lms/templates/navigation/navbar-authenticated.html
@@ -42,6 +42,7 @@ from django.utils.translation import ugettext as _
 <%include file="../user_dropdown.html"/>
 
 <a href="${get_online_help_info(online_help_token)['doc_url']}"
+        rel="noopener"
          target="_blank"
          class="doc-link">${_("Help")}</a>
 
diff --git a/lms/templates/navigation/navigation.html b/lms/templates/navigation/navigation.html
index 0e6c0b305c..22d7ac0965 100644
--- a/lms/templates/navigation/navigation.html
+++ b/lms/templates/navigation/navigation.html
@@ -93,8 +93,8 @@ from openedx.core.djangoapps.lang_pref.api import header_language_selector_is_en
 <div class="ie-banner" aria-hidden="true">${Text(_('{begin_strong}Warning:{end_strong} Your browser is not fully supported. We strongly recommend using {chrome_link} or {ff_link}.')).format(
     begin_strong=HTML('<strong>'),
     end_strong=HTML('</strong>'),
-    chrome_link=HTML('<a href="https://www.google.com/chrome" target="_blank">Chrome</a>'),
-    ff_link=HTML('<a href="http://www.mozilla.org/firefox" target="_blank">Firefox</a>'),
+    chrome_link=HTML('<a href="https://www.google.com/chrome" rel="noopener" target="_blank">Chrome</a>'),
+    ff_link=HTML('<a href="http://www.mozilla.org/firefox" rel="noopener" target="_blank">Firefox</a>'),
 )}</div>
 <![endif]-->
 % endif
diff --git a/lms/templates/register-shib.html b/lms/templates/register-shib.html
index ef0c42b427..475b8f0eb6 100644
--- a/lms/templates/register-shib.html
+++ b/lms/templates/register-shib.html
@@ -28,7 +28,7 @@ import calendar
       // new window/tab opening
       $('a[rel="external"], a[class="new-vp"]')
       .click( function() {
-      window.open( $(this).attr('href') );
+      window.open( $(this).attr('href'), '', 'noopener' );
       return false;
       });
 
diff --git a/lms/templates/register.html b/lms/templates/register.html
index 2437d9f936..5a1bf45bc0 100644
--- a/lms/templates/register.html
+++ b/lms/templates/register.html
@@ -29,7 +29,7 @@ import calendar
       // new window/tab opening
       $('a[rel="external"], a[class="new-vp"]')
       .click( function() {
-      window.open( $(this).attr('href') );
+      window.open( $(this).attr('href'), '', 'noopener' );
       return false;
       });
 
diff --git a/lms/templates/signup_modal.html b/lms/templates/signup_modal.html
index 223fffb318..f8ae07a982 100644
--- a/lms/templates/signup_modal.html
+++ b/lms/templates/signup_modal.html
@@ -134,7 +134,7 @@ import calendar
           <label data-field="terms_of_service" class="terms-of-service" for="signup_tos">
             <input id="signup_tos" name="terms_of_service" type="checkbox" value="true">
             ${Text(_('I agree to the {link_start}Terms of Service{link_end}')).format(
-              link_start=HTML('<a href="{url}" target="_blank">').format(url=reverse('tos')),
+              link_start=HTML('<a href="{url}" rel="noopener" target="_blank">').format(url=reverse('tos')),
               link_end=HTML('</a>'))} *
           </label>
 
@@ -142,7 +142,7 @@ import calendar
           <label data-field="honor_code" class="honor-code" for="signup_honor">
             <input id="signup_honor" name="honor_code" type="checkbox" value="true">
             ${Text(_('I agree to the {link_start}Honor Code{link_end}')).format(
-              link_start=HTML('<a href="{url}" target="_blank">').format(url=reverse('honor')),
+              link_start=HTML('<a href="{url}" rel="noopener" target="_blank">').format(url=reverse('honor')),
               link_end=HTML('</a>'))} *
           </label>
           % endif
diff --git a/lms/templates/student_account/account_settings.underscore b/lms/templates/student_account/account_settings.underscore
index 2e27bcddf2..d58a805ec7 100644
--- a/lms/templates/student_account/account_settings.underscore
+++ b/lms/templates/student_account/account_settings.underscore
@@ -6,7 +6,7 @@
                 <span><%= HtmlUtils.ensureHtml(message) %></span>
                 <div class="alert-actions">
                     <button class="btn-alert-primary" data-old-lang-code="<%- oldLangCode %>"><%- gettext('Switch Language Back') %></button>
-                    <a href="<%- helpTranslateLink %>" target="_blank" class="btn-alert-secondary"><%= HtmlUtils.ensureHtml(helpTranslateText) %></a>
+                    <a href="<%- helpTranslateLink %>" rel="noopener" target="_blank" class="btn-alert-secondary"><%= HtmlUtils.ensureHtml(helpTranslateText) %></a>
                 </div>
             </div>
         </div>
diff --git a/lms/templates/student_account/form_field.underscore b/lms/templates/student_account/form_field.underscore
index e313a7be96..6350d77bdf 100644
--- a/lms/templates/student_account/form_field.underscore
+++ b/lms/templates/student_account/form_field.underscore
@@ -15,7 +15,7 @@
         </label>
         <% if (supplementalLink && supplementalText) { %>
             <div class="supplemental-link">
-                <a href="<%- supplementalLink %>" target="_blank"><%- supplementalText %></a>
+                <a href="<%- supplementalLink %>" rel="noopener" target="_blank"><%- supplementalText %></a>
             </div>
         <% } %>
     <% } %>
@@ -45,7 +45,7 @@
         <% if ( instructions ) { %> <span class="tip tip-input" id="<%- form %>-<%- name %>-desc"><%- instructions %></span><% } %>
         <% if (supplementalLink && supplementalText) { %>
             <div class="supplemental-link">
-                <a href="<%- supplementalLink %>" target="_blank"><%- supplementalText %></a>
+                <a href="<%- supplementalLink %>" rel="noopener" target="_blank"><%- supplementalText %></a>
             </div>
         <% } %>
     <% } else if ( type === 'textarea' ) { %>
@@ -71,7 +71,7 @@
         <% if ( instructions ) { %> <span class="tip tip-input" id="<%- form %>-<%- name %>-desc"><%- instructions %></span><% } %>
         <% if (supplementalLink && supplementalText) { %>
             <div class="supplemental-link">
-                <a href="<%- supplementalLink %>" target="_blank"><%- supplementalText %></a>
+                <a href="<%- supplementalLink %>" rel="noopener" target="_blank"><%- supplementalText %></a>
             </div>
         <% } %>
     <% } else if (type === 'plaintext' ) { %>
@@ -86,7 +86,7 @@
         <% if ( type === 'checkbox' ) { %>
             <% if (supplementalLink && supplementalText) { %>
                 <div class="supplemental-link">
-                    <a href="<%- supplementalLink %>" target="_blank"><%- supplementalText %></a>
+                    <a href="<%- supplementalLink %>" rel="noopener" target="_blank"><%- supplementalText %></a>
                 </div>
             <% } %>
         <% } %>
diff --git a/lms/templates/wiki/delete.html b/lms/templates/wiki/delete.html
index dd2e9b1f34..04a84e0b10 100644
--- a/lms/templates/wiki/delete.html
+++ b/lms/templates/wiki/delete.html
@@ -26,7 +26,7 @@
 
       <ul>
         {% for child in delete_children %}
-        <li><a href="{% url 'wiki:get' article_id=child.article.id %}" target="_blank">{{ child.article }}</a></li>
+        <li><a href="{% url 'wiki:get' article_id=child.article.id %}" rel="noopener" target="_blank">{{ child.article }}</a></li>
         {% if delete_children_more %}
         <li><em>{% trans "...and more!" as tmsg%}{{tmsg|force_escape}}</em></li>
         {% endif %}
diff --git a/lms/templates/wiki/includes/cheatsheet.html b/lms/templates/wiki/includes/cheatsheet.html
index 08bd3ea5c3..17f2c14530 100644
--- a/lms/templates/wiki/includes/cheatsheet.html
+++ b/lms/templates/wiki/includes/cheatsheet.html
@@ -15,9 +15,9 @@
           <p>{% trans "This wiki uses {start_strong}Markdown{end_strong} for styling. There are several useful guides online. See any of the links below for in-depth details:" as tmsg%}
               {% interpolate_html tmsg start_strong='<strong>'|safe end_strong='</strong>'|safe %}</p>
           <ul>
-              <li><a href="http://daringfireball.net/projects/markdown/basics" target="_blank">{% trans 'Markdown: Basics' as tmsg %}{{tmsg|force_escape}}</a></li>
-              <li><a href="http://greg.vario.us/doc/markdown.txt" target="_blank">{% trans 'Quick Markdown Syntax Guide' as tmsg %}{{tmsg|force_escape}}</a></li>
-              <li><a href="http://www.lowendtalk.com/discussion/6/miniature-markdown-guide" target="_blank">{% trans 'Miniature Markdown Guide' as tmsg%}{{tmsg|force_escape}}</a></li>
+              <li><a href="http://daringfireball.net/projects/markdown/basics" rel="noopener" target="_blank">{% trans 'Markdown: Basics' as tmsg %}{{tmsg|force_escape}}</a></li>
+              <li><a href="http://greg.vario.us/doc/markdown.txt" rel="noopener" target="_blank">{% trans 'Quick Markdown Syntax Guide' as tmsg %}{{tmsg|force_escape}}</a></li>
+              <li><a href="http://www.lowendtalk.com/discussion/6/miniature-markdown-guide" rel="noopener" target="_blank">{% trans 'Miniature Markdown Guide' as tmsg%}{{tmsg|force_escape}}</a></li>
           </ul>
           <p>{% trans "To create a new wiki article, create a link to it. Clicking the link gives you the creation page." as tmsg %}{{tmsg|force_escape}}</p>
           <pre>{% trans "[Article Name](wiki:ArticleName)" as tmsg%}{{tmsg|force_escape}}</pre>
diff --git a/openedx/core/djangoapps/api_admin/widgets.py b/openedx/core/djangoapps/api_admin/widgets.py
index b66d3ad07f..3e913766be 100644
--- a/openedx/core/djangoapps/api_admin/widgets.py
+++ b/openedx/core/djangoapps/api_admin/widgets.py
@@ -34,7 +34,9 @@ class TermsOfServiceCheckboxInput(CheckboxInput):
             u'I, and my organization, accept the {link_start}{platform_name} API Terms of Service{link_end}.'
         )).format(
             platform_name=configuration_helpers.get_value('PLATFORM_NAME', settings.PLATFORM_NAME),
-            link_start=HTML(u'<a href="{url}" target="_blank">').format(url=reverse('api_admin:api-tos')),
+            link_start=HTML(u'<a href="{url}" rel="noopener" target="_blank">').format(
+                url=reverse('api_admin:api-tos')
+            ),
             link_end=HTML('</a>'),
         )
 
diff --git a/openedx/core/djangoapps/user_api/api.py b/openedx/core/djangoapps/user_api/api.py
index 8203cf3111..2b1d8af70a 100644
--- a/openedx/core/djangoapps/user_api/api.py
+++ b/openedx/core/djangoapps/user_api/api.py
@@ -806,7 +806,9 @@ class RegistrationFormFactory(object):
         )).format(
             platform_name=configuration_helpers.get_value("PLATFORM_NAME", settings.PLATFORM_NAME),
             terms_of_service=terms_label,
-            terms_of_service_link_start=HTML(u"<a href='{terms_link}' target='_blank'>").format(terms_link=terms_link),
+            terms_of_service_link_start=HTML(u"<a href='{terms_link}' rel='noopener' target='_blank'>").format(
+                terms_link=terms_link
+            ),
             terms_of_service_link_end=HTML("</a>"),
         )
 
@@ -832,9 +834,13 @@ class RegistrationFormFactory(object):
             )).format(
                 platform_name=configuration_helpers.get_value("PLATFORM_NAME", settings.PLATFORM_NAME),
                 terms_of_service=terms_label,
-                terms_of_service_link_start=HTML(u"<a href='{terms_url}' target='_blank'>").format(terms_url=terms_link),
+                terms_of_service_link_start=HTML(u"<a href='{terms_url}' rel='noopener' target='_blank'>").format(
+                    terms_url=terms_link
+                ),
                 terms_of_service_link_end=HTML("</a>"),
-                privacy_policy_link_start=HTML(u"<a href='{pp_url}' target='_blank'>").format(pp_url=pp_link),
+                privacy_policy_link_start=HTML(u"<a href='{pp_url}' rel='noopener' target='_blank'>").format(
+                    pp_url=pp_link
+                ),
                 privacy_policy_link_end=HTML("</a>"),
             )
 
@@ -866,7 +872,9 @@ class RegistrationFormFactory(object):
         label = Text(_(u"I agree to the {platform_name} {tos_link_start}{terms_of_service}{tos_link_end}")).format(
             platform_name=configuration_helpers.get_value("PLATFORM_NAME", settings.PLATFORM_NAME),
             terms_of_service=terms_label,
-            tos_link_start=HTML(u"<a href='{terms_link}' target='_blank'>").format(terms_link=terms_link),
+            tos_link_start=HTML(u"<a href='{terms_link}' rel='noopener' target='_blank'>").format(
+                terms_link=terms_link
+            ),
             tos_link_end=HTML("</a>"),
         )
 
diff --git a/openedx/core/djangoapps/user_api/tests/test_views.py b/openedx/core/djangoapps/user_api/tests/test_views.py
index b317c4e5e0..5fd642343b 100644
--- a/openedx/core/djangoapps/user_api/tests/test_views.py
+++ b/openedx/core/djangoapps/user_api/tests/test_views.py
@@ -1097,7 +1097,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
             "default": False
         }
     ]
-    link_template = u"<a href='/honor' target='_blank'>{link_label}</a>"
+    link_template = u"<a href='/honor' rel='noopener' target='_blank'>{link_label}</a>"
 
     def setUp(self):
         super(RegistrationViewTest, self).setUp()
@@ -1668,8 +1668,8 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
     )
     @mock.patch.dict(settings.FEATURES, {"ENABLE_MKTG_SITE": True})
     def test_registration_honor_code_mktg_site_enabled(self):
-        link_template = "<a href='https://www.test.com/honor' target='_blank'>{link_label}</a>"
-        link_template2 = u"<a href='#' target='_blank'>{link_label}</a>"
+        link_template = "<a href='https://www.test.com/honor' rel='noopener' target='_blank'>{link_label}</a>"
+        link_template2 = u"<a href='#' rel='noopener' target='_blank'>{link_label}</a>"
         link_label = "Terms of Service and Honor Code"
         link_label2 = "Privacy Policy"
         self._assert_reg_field(
@@ -1701,7 +1701,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
     @override_settings(MKTG_URLS_LINK_MAP={"HONOR": "honor"})
     @mock.patch.dict(settings.FEATURES, {"ENABLE_MKTG_SITE": False})
     def test_registration_honor_code_mktg_site_disabled(self):
-        link_template = "<a href='/privacy' target='_blank'>{link_label}</a>"
+        link_template = "<a href='/privacy' rel='noopener' target='_blank'>{link_label}</a>"
         link_label = "Terms of Service and Honor Code"
         link_label2 = "Privacy Policy"
         self._assert_reg_field(
@@ -1740,7 +1740,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
         # Honor code field should say ONLY honor code,
         # not "terms of service and honor code"
         link_label = 'Honor Code'
-        link_template = u"<a href='https://www.test.com/honor' target='_blank'>{link_label}</a>"
+        link_template = u"<a href='https://www.test.com/honor' rel='noopener' target='_blank'>{link_label}</a>"
         self._assert_reg_field(
             {"honor_code": "required", "terms_of_service": "required"},
             {
@@ -1763,7 +1763,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
 
         # Terms of service field should also be present
         link_label = "Terms of Service"
-        link_template = u"<a href='https://www.test.com/tos' target='_blank'>{link_label}</a>"
+        link_template = u"<a href='https://www.test.com/tos' rel='noopener' target='_blank'>{link_label}</a>"
         self._assert_reg_field(
             {"honor_code": "required", "terms_of_service": "required"},
             {
@@ -1811,7 +1811,7 @@ class RegistrationViewTest(ThirdPartyAuthTestMixin, UserAPITestCase):
 
         link_label = 'Terms of Service'
         # Terms of service field should also be present
-        link_template = u"<a href='/tos' target='_blank'>{link_label}</a>"
+        link_template = u"<a href='/tos' rel='noopener' target='_blank'>{link_label}</a>"
         self._assert_reg_field(
             {"honor_code": "required", "terms_of_service": "required"},
             {
diff --git a/openedx/core/djangoapps/user_authn/views/tests/test_views.py b/openedx/core/djangoapps/user_authn/views/tests/test_views.py
index d396c2f345..f50ce173e6 100644
--- a/openedx/core/djangoapps/user_authn/views/tests/test_views.py
+++ b/openedx/core/djangoapps/user_authn/views/tests/test_views.py
@@ -710,7 +710,7 @@ class LoginAndRegistrationTest(ThirdPartyAuthTestMixin, UrlResetMixin, ModuleSto
                 line_break=HTML('<br/>'),
                 enterprise_name=ec_name,
                 platform_name=settings.PLATFORM_NAME,
-                privacy_policy_link_start=HTML(u"<a href='{pp_url}' target='_blank'>").format(
+                privacy_policy_link_start=HTML(u"<a href='{pp_url}' rel='noopener' target='_blank'>").format(
                     pp_url=settings.MKTG_URLS.get('PRIVACY', 'https://www.edx.org/edx-privacy-policy')
                 ),
                 privacy_policy_link_end=HTML("</a>"),
diff --git a/openedx/core/lib/license/templates/license.html b/openedx/core/lib/license/templates/license.html
index fe1141e9b9..bfa41aa15e 100644
--- a/openedx/core/lib/license/templates/license.html
+++ b/openedx/core/lib/license/templates/license.html
@@ -40,7 +40,7 @@ def parse_license(lic):
         enabled = ["zero"]
         version = license_options.get("ver", "1.0")
     %>
-    <a rel="license" href="https://creativecommons.org/licenses/${'-'.join(enabled)}/${version}/" target="_blank">
+    <a rel="license" href="https://creativecommons.org/licenses/${'-'.join(enabled)}/${version}/" rel="noopener" target="_blank">
     % if button:
         <img src="https://licensebuttons.net/l/${'-'.join(enabled)}/${version}/${button_size}.png"
              alt="${license}"
diff --git a/openedx/features/enterprise_support/utils.py b/openedx/features/enterprise_support/utils.py
index 84dc18e78c..347029267d 100644
--- a/openedx/features/enterprise_support/utils.py
+++ b/openedx/features/enterprise_support/utils.py
@@ -116,7 +116,7 @@ def get_enterprise_sidebar_context(enterprise_customer):
         line_break=HTML('<br/>'),
         enterprise_name=enterprise_customer['name'],
         platform_name=platform_name,
-        privacy_policy_link_start=HTML("<a href='{pp_url}' target='_blank'>").format(
+        privacy_policy_link_start=HTML("<a href='{pp_url}' rel='noopener' target='_blank'>").format(
             pp_url=settings.MKTG_URLS.get('PRIVACY', 'https://www.edx.org/edx-privacy-policy')
         ),
         privacy_policy_link_end=HTML("</a>"),
diff --git a/openedx/features/learner_profile/static/learner_profile/templates/social_icons.underscore b/openedx/features/learner_profile/static/learner_profile/templates/social_icons.underscore
index 496dbd60b4..52b864cfb6 100644
--- a/openedx/features/learner_profile/static/learner_profile/templates/social_icons.underscore
+++ b/openedx/features/learner_profile/static/learner_profile/templates/social_icons.underscore
@@ -1,7 +1,7 @@
 <div class="social-links">
     <% for (var platform in socialLinks) { %>
         <% if (socialLinks[platform]) { %>
-            <a target="_blank" href= <%-socialLinks[platform]%>>
+            <a rel="noopener" target="_blank" href= <%-socialLinks[platform]%>>
                 <span class="icon fa fa-<%-platform%>-square" data-platform=<%-platform%> aria-hidden="true"></span>
             </a>
         <% } %>
diff --git a/openedx/features/learner_profile/templates/learner_profile/learner-achievements-fragment.html b/openedx/features/learner_profile/templates/learner_profile/learner-achievements-fragment.html
index f62b279d93..8818a284fe 100644
--- a/openedx/features/learner_profile/templates/learner_profile/learner-achievements-fragment.html
+++ b/openedx/features/learner_profile/templates/learner_profile/learner-achievements-fragment.html
@@ -35,7 +35,7 @@ from openedx.core.djangolib.markup import HTML, Text
                 )
                 %>
                 % if certificate_url:
-                    <a href="${certificate_url}" target="_blank">
+                    <a href="${certificate_url}" rel="noopener" target="_blank">
                         <div class="card certificate-card mode-${certificate['type']}">
                             <div class="card-logo">
                                 <h4 class="sr-only">
diff --git a/themes/edx.org/lms/templates/dashboard.html b/themes/edx.org/lms/templates/dashboard.html
index c582fc49e9..4b359706b0 100644
--- a/themes/edx.org/lms/templates/dashboard.html
+++ b/themes/edx.org/lms/templates/dashboard.html
@@ -294,7 +294,7 @@ from student.models import CourseEnrollment
           <li class="order-history">
             <span class="title">${_("Order History")}</span>
             % for order_history_item in order_history_list:
-              <span><a href="${order_history_item['receipt_url']}" target="_blank" class="edit-name">${order_history_item['order_date']}</a></span>
+              <span><a href="${order_history_item['receipt_url']}" rel="noopener" target="_blank" class="edit-name">${order_history_item['order_date']}</a></span>
             % endfor
           </li>
           % endif
diff --git a/themes/edx.org/lms/templates/header/navbar-authenticated.html b/themes/edx.org/lms/templates/header/navbar-authenticated.html
index dcec6e8c42..23495cfa05 100644
--- a/themes/edx.org/lms/templates/header/navbar-authenticated.html
+++ b/themes/edx.org/lms/templates/header/navbar-authenticated.html
@@ -67,13 +67,11 @@ from openedx.core.djangoapps.site_configuration import helpers as configuration_
     % endif
     <div class="mobile-nav-item hidden-mobile nav-item">
       % if online_help_token == "instructor":
-        <a class="help-link" href="${get_online_help_info(online_help_token)['doc_url']}" target="_blank">${_("Help")}</a>
+        <a class="help-link" href="${get_online_help_info(online_help_token)['doc_url']}" rel="noopener" target="_blank">${_("Help")}</a>
       % else:
-        <a class="help-link" href="${configuration_helpers.get_value('SUPPORT_SITE_LINK', settings.SUPPORT_SITE_LINK)}" target="_blank">${_("Help")}</a>
+        <a class="help-link" href="${configuration_helpers.get_value('SUPPORT_SITE_LINK', settings.SUPPORT_SITE_LINK)}" rel="noopener" target="_blank">${_("Help")}</a>
       % endif
     </div>
     <%include file="user_dropdown.html"/>
   </div>
 </div>
-
-
diff --git a/themes/stanford-style/lms/templates/register-shib.html b/themes/stanford-style/lms/templates/register-shib.html
index effa820b15..a619398d9e 100644
--- a/themes/stanford-style/lms/templates/register-shib.html
+++ b/themes/stanford-style/lms/templates/register-shib.html
@@ -21,7 +21,7 @@ from openedx.core.djangolib.markup import HTML, Text
       // new window/tab opening
       $('a[rel="external"], a[class="new-vp"]')
       .click( function() {
-      window.open( $(this).attr('href') );
+      window.open( $(this).attr('href'), '', 'noopener' );
       return false;
       });