Action.OpenUrl with a top-level browsing context

While HTML links [launch without an opener reference][spec],
[`window.open`][vulnerability] provides a reference to the parent page
through an auxiliary browsing context. Given untrusted URL input, this
can lead to tabnabbing and phishing attacks.

This change uses the [noopener] and [noreferrer] [window features] for
the default link handler in the React renderer.

[spec]: whatwg/html#4078
[vulnerability]: https://mathiasbynens.github.io/rel-noopener/
[window features]: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#windowfeatures
[noopener]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noopener
[noreferrer]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noreferrer

Author: sch

source/nodejs/adaptivecards-react/src/adaptive-card.tsx

@@ -43,7 +43,7 @@ const propTypes = {
 };
 
 const defaultOpenUrlHandler = (action: AdaptiveCards.OpenUrlAction) => {
-    window.open(action.url, '_blank');
+    window.open(action.url, '_blank', 'noopener,noreferrer');
 };
 
 const setUpMarkdownIt = () => {