Secunia reports a frame-injection vulnerability in Firefox 1.0.3 and
1.0.4. Mozillazine has details, including a comment that you can close the hole (until 1.0.5 is released) by clicking Tools, Options, Advanced, Tabbed Browsing and changing “open links in a new window” to “open links in a new tab in the most recent window”:
A Secunia bulletin also notes that a similar hole has existed in Internet Explorer 5.x and 6.x since June 2004 and has not yet been patched by Microsoft (but there is a workaroud).