Google Chrome prior to 12.0.742.91 allows remote malicious users to inject script into a tab page via vectors related to extensions.
google chrome