Security researcher Michal Zalewski has identified a problem with the way that Mozilla Firefox handles links that are opened in a new browser window or tab. The vulnerability, which Mozilla has fixed in the upcoming version 3.6.4 of Firefox, has the effect of tricking users into thinking that they re visiting a legitimate site while instead sending arbitrary attacker-controlled code to their browsers. The harder way is to use an URL that legitimately returns HTTP 204; the easier way is simply call window.stop().
Source: https://threatpost.com/new-firefox-flaw-enables-url-spoofing-code-injection-062210/74138/