diff --git a/NEWS b/NEWS
index fb2f0bc39..e0d8a2357 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ Enhancements
  - [web] show calendar names of subscriptions in events blocks
  - [web] show hints for mail vacation options (#4462)
  - [web] allow to fetch unseen count of all mailboxes (#522, #2776, #4276)
+ - [web] add rel="noopener" to external links (#4764)
 
 Bug fixes
  - [web] fixed wrong translation of custom calendar categories
diff --git a/SoObjects/SOGo/NSString+Utilities.m b/SoObjects/SOGo/NSString+Utilities.m
index 83a1ef49c..b7defaa4c 100644
--- a/SoObjects/SOGo/NSString+Utilities.m
+++ b/SoObjects/SOGo/NSString+Utilities.m
@@ -184,7 +184,7 @@ static int cssEscapingCount;
     {
       rangePtr->location += offset;
       urlText = [selfCopy substringFromRange: *rangePtr];
-      newUrlText = [NSString stringWithFormat: @"<a href=\"%@%@\">%@</a>",
+      newUrlText = [NSString stringWithFormat: @"<a rel=\"noopener\" href=\"%@%@\">%@</a>",
                           ([urlText hasPrefix: prefix]? @"" : prefix),
                              urlText, urlText];
       [selfCopy replaceCharactersInRange: *rangePtr
diff --git a/UI/MailPartViewers/UIxMailPartHTMLViewer.m b/UI/MailPartViewers/UIxMailPartHTMLViewer.m
index 296a03441..abaf5d40e 100644
--- a/UI/MailPartViewers/UIxMailPartHTMLViewer.m
+++ b/UI/MailPartViewers/UIxMailPartHTMLViewer.m
@@ -521,6 +521,8 @@ _xmlCharsetForCharset (NSString *charset)
                                    == NSNotFound
                                    && ![value hasPrefix: @"mailto:"]
                                    && ![value hasPrefix: @"#"]);
+                  if (!skipAttribute)
+                    [resultPart appendString: @" rel=\"noopener\""];
                 }
               // Avoid: <div style="background:url('http://www.sogo.nu/fileadmin/sogo/logos/sogo.bts.png' ); width: 200px; height: 200px;" title="ssss">
               else if ([name isEqualToString: @"style"])
diff --git a/UI/Templates/ContactsUI/UIxContactViewTemplate.wox b/UI/Templates/ContactsUI/UIxContactViewTemplate.wox
index 247e883c0..a9aec84c8 100644
--- a/UI/Templates/ContactsUI/UIxContactViewTemplate.wox
+++ b/UI/Templates/ContactsUI/UIxContactViewTemplate.wox
@@ -171,7 +171,7 @@
               <div class="pseudo-input-container" ng-repeat="url in editor.card.urls">
                 <label class="pseudo-input-label"><var:entity const:name="nbsp"/>{{url.type.capitalize() | loc}}</label>
                 <div class="pseudo-input-field">
-                  <a href="#" target="_new" ng-href="{{url.value}}">{{url.value}}</a>
+                  <a href="#" rel="noopener" target="_new" ng-href="{{url.value}}">{{url.value}}</a>
                 </div>
               </div>
             </div>
diff --git a/UI/Templates/SchedulerUI/UIxAppointmentViewTemplate.wox b/UI/Templates/SchedulerUI/UIxAppointmentViewTemplate.wox
index f4b04ad83..dec7df147 100644
--- a/UI/Templates/SchedulerUI/UIxAppointmentViewTemplate.wox
+++ b/UI/Templates/SchedulerUI/UIxAppointmentViewTemplate.wox
@@ -125,7 +125,7 @@
         <!-- attach urls -->
         <md-list-item ng-show="::(editor.component.attachUrls.length > 0)">
           <md-icon>link</md-icon>
-          <p ng-repeat="url in ::editor.component.attachUrls"><a target="_new" ng-href="{{::url.value}}" ng-bind="::url.value"><!-- link --></a></p>
+          <p ng-repeat="url in ::editor.component.attachUrls"><a rel="noopener" target="_new" ng-href="{{::url.value}}" ng-bind="::url.value"><!-- link --></a></p>
         </md-list-item>
         <!-- comment -->
         <md-list-item ng-show="::editor.component.comment">
diff --git a/UI/Templates/SchedulerUI/UIxTaskViewTemplate.wox b/UI/Templates/SchedulerUI/UIxTaskViewTemplate.wox
index 975bd7202..d9dda8b7c 100644
--- a/UI/Templates/SchedulerUI/UIxTaskViewTemplate.wox
+++ b/UI/Templates/SchedulerUI/UIxTaskViewTemplate.wox
@@ -98,7 +98,7 @@
         <!-- attach urls -->
         <md-list-item  ng-repeat="url in ::editor.component.attachUrls">
           <md-icon>link</md-icon>
-          <p><a ng-href="{{::url.value}}" target="_new" ng-bind="::url.value"><!-- link --></a></p>
+          <p><a ng-href="{{::url.value}}" rel="noopener" target="_new" ng-bind="::url.value"><!-- link --></a></p>
         </md-list-item>
         <!-- comment -->
         <md-list-item ng-show="::editor.component.comment">
diff --git a/UI/WebServerResources/js/Common/txt2html.filter.js b/UI/WebServerResources/js/Common/txt2html.filter.js
index d84715e42..cd690f2c6 100644
--- a/UI/WebServerResources/js/Common/txt2html.filter.js
+++ b/UI/WebServerResources/js/Common/txt2html.filter.js
@@ -14,7 +14,7 @@
   function txt2html(linkyFilter) {
     return function(text) {
       // Linky will first sanitize the text; linefeeds are therefore encoded.
-      return text ? String(linkyFilter(text, ' _blank')).replace(/&#10;/gm, '<br>') : undefined;
+      return text ? String(linkyFilter(text, ' _blank', { rel: 'noopener' })).replace(/&#10;/gm, '<br>') : undefined;
     };
   }