window.opener vulnerability: https://news.ycombinator.com/item?id=11631292
window.open("http://xkcd.com")
window.opener.location = "https://news.ycombinator.com"