I have recently been reading about reverse tabnabbing, where a child window can change the url of the parent window if it has access to
window.opener (which it has by default unless you explicitly disallow it)
In this case the phishing attack is to change the parent tab url and present a similar UI as some trusted website to get user credentials and assume that user might not be able to notice that the url has changed.
I would like to understand why can’t this happen in the child window itself ? Agreed that attention wise there are more chances that user would pay less attention to the parent window after the child window is opened, but after sometime, when the user has not been looking at either of the tabs, wouldn’t it be similar to just change the url of the child window instead of the parent window ?
Are there any other security concerns that do not allow this?