Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0650 to
the following vulnerability:
WebKit, as used in Google Chrome before 126.96.36.199 and Apple Safari, allows remote attackers to bypass intended restrictions on popup windows via crafted use of a mouse click event.
I can't reproduce in Arora - QtWebKit based (with Qt 4.6.1) with popup windows blocker enabled. With disabled it works as expected - new tab is opened.
I've tested couple of browsers in Fedora using webkitgtk or qtwebkit. I was only able to get a popup using the test case from google bug with arora with popup blocking disabled (as mentioned in comment #1). Other browsers either don't seem to handle popups or block them and don't offer a way to disable blocking.
The upstream changeset to correct this is here: