Netscape Communicator prior to 4.77 allows remote malicious users to execute arbitrary Javascript via a GIF image whose comment contains the Javascript.
Florian Wesch has discovered a problem (reported to bugtraq) with the
way how Netscape handles comments in GIF files The Netscape browser
does not escape the GIF file comment in the image information page
This allows javascript execution in the "about:" protocol and can for
example be used to upload the History (about:global) to a webserver,
thus ...
source: wwwsecurityfocuscom/bid/2637/info
Due to a flaw in Navigator's security code, all URLs in the about: protocol are considered to be part of the same domain
If arbitrary Javascript code is placed in a GIF's comment field, it is treated like a normal HTML page The Javascript code will run from the image information page in the int ...