When a webpage requires a plugin that is not installed
the user can click to launch the Plugin Finder Service
(PFS) to find an appropriate plugin. If the service does
not have an appropriate plugin the EMBED tag is checked
for a PLUGINSPAGE attribute, and if one is found the PFS
dialog will contain a "manual install" button that will
load the PLUGINSPAGE url.
Omar Khan reported that if the PLUGINSPAGE attribute
contains a javascript: url then pressing the button could
launch arbitrary code capable of stealing local data or
installing malicious code.
Doron Rosenberg reported a variant that injects script by
appending it to a malformed URL of any protocol.