for background details, check out this page:
https://dev.to/dhilipkmr/why-should-you-use-noopener-beware-of-security-flaws-3i57

this seems to affect xterm-addon-web-links and the mouse zone manager. it's easy to reproduce with the web-links addon, but i have no idea how to trigger the latter code.

unfortunately, window.open is not a friendly API. when you add noopener to the features field, it resets all the other defaults on you. MDN has good documentation on this.

it's also somewhat still a relatively new feature (only available for ~2 years now), so if supporting older browsers is important, more work is required.

so the fix isn't as simple as say:

-  window.open(uri, '_blank');
+  window.open(uri, '_blank', 'noopener');

fwiw, i added a utility function to hide this ugliness in hterm, and then updated all APIs to use that helper.
https://chromium.googlesource.com/apps/libapps/+/hterm-1.87/libdot/js/lib_f.js#283