Morden browser apply noopenerfor you, but for lagacy browser might not.
What noopenerdoes is that, it set window.openerto null, which can prevent evil site change the original site url points to a phising site.
A: is wrong, should be prevent newly opened site to access original site
noreferrer: for example you open a link https://example.com, without noreferrer, you can access original site url through document.referrer, looks like https://www.website.com/community?userId=123, it can access the query params which might be sensitive to the user.
noreferreralso make sure noopeneralso applied.
therefore Answer B is correct.
More information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
Answer: B, D