diff --git a/frontend/src/lib/shared/discussion/MentionDropdown.svelte b/frontend/src/lib/shared/discussion/MentionDropdown.svelte
index 5e6c2157..921d9e6f 100644
--- a/frontend/src/lib/shared/discussion/MentionDropdown.svelte
+++ b/frontend/src/lib/shared/discussion/MentionDropdown.svelte
@@ -188,7 +188,7 @@ function selectItem(item: Person) {
 		<a
 			href="/persons/new"
 			target="_blank"
-			rel="noopener"
+			rel="noopener noreferrer"
 			class="flex min-h-[44px] items-center gap-2 border-t border-line px-3 py-2.5 font-sans text-sm font-medium text-brand-navy hover:bg-canvas focus:bg-canvas focus:outline-none"
 			onmousedown={(e) => e.preventDefault()}
 		>
diff --git a/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts b/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts
index cf2205b8..71a7ad61 100644
--- a/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts
+++ b/frontend/src/lib/shared/discussion/MentionDropdown.svelte.spec.ts
@@ -77,6 +77,19 @@ describe('MentionDropdown — search input', () => {
 		await expect.element(page.getByText(m.person_mention_search_prompt())).not.toBeInTheDocument();
 	});
 
+	it('"create new person" link has rel="noopener noreferrer" (CWE-116)', async () => {
+		render(MentionDropdown, {
+			model: makeModel([]),
+			editorQuery: 'unknown', // non-empty so the empty-state link renders
+			onSearch: () => {}
+		});
+
+		const link = document.querySelector('a[href="/persons/new"]') as HTMLAnchorElement;
+		expect(link).not.toBeNull();
+		expect(link.getAttribute('rel')).toContain('noopener');
+		expect(link.getAttribute('rel')).toContain('noreferrer');
+	});
+
 	it('search input wrapper meets the 44px touch target (WCAG 2.2 AA)', async () => {
 		render(MentionDropdown, {
 			model: makeModel(),