Internet Drive-By Shootings

The key requirement is that the attacker must be able to force the user to execute a small piece of Javascript code. There are a number of ways this can happen:
* Embed Javascript into a Flash-based banner ad
* Send an email to each user with a link to a web site
* Post a link inside blog comment spam
* Post a link inside a web forum comment
* Exploit a XSS issue to embed Javascript into a trusted web site
* Trigger a PostBack link into a high-profile blog
* Flood popular sites with bogus referrers

Read this post from metasploit blog.