Google’s John Mueller said on Twitter that Google “generally recommends not keeping open redirects.”
An open redirect is when a parameter values (the portion of URL after “?”) in an HTTP GET request allow for information that will redirect a user to a new website without any validation of the target of redirect. This can lead your site to allowing redirects to any URLs on the web, even malware.
John Mueller explained that if someone does exploit your open redirects, it can lead Google search to flag your website and potentially remove it from search. John said “if someone were to redirect to malware or phishing content through your site, then the URLs on your site would lead there, and could be flagged.”
The ironic thing is last year Google was caught with this exploit. The truth is, sometimes a developer can implement this and then you forget about it and before you know it, your site is being used by unscrupulous people to hurt others. Google may notify you have these issues via Google Search Console, by the way.
But still, you want to try to be on top of this before it becomes an issue.
Forum discussion at Twitter.