There is an entertaining yet somewhat frightening vulnerability in Microsoft Internet Explorer 7 and possibly other browsers. The flaw is a combination of a boneheaded Javascript onUnload handler design in many browsers that effectively allows a malicious page to prevent the visitor from leaving the site, and a flawed method of handling transitions between pages. This enables the attacker not only to trap a visitor, but also pretend that his attempt to navigate to an unrelated webpage was successful - which enables all sorts of spoofing and phishing attacks.

To test for the vulnerability, simply try manually navigating to google.com, cnn.com, slashdot.org, or some other site of your choice.
You need to have Javascript enabled.

Questions and comments: Michal Zalewski <lcamtuf@coredump.cx>.