Aviv Raff, an Isreal-based security researcher had discovered a design flaw in Microsoft’s Internet Explorer 7 which allows cross-site scripting using one of the IE’s local resource and opens users to phishing attacks. According to his blog, it can be exploited by creating a specially crafted navcancl.html local resource link with a script that will display a fake content of a trusted site. By open the link sent by the attacker, a “Navigation Cancelled” page will be displayed. By futher clicking the “Refresh the Page” link, the victime will be linked to a fake website, but with the address bar showing the legitimate address of the trusted site.

proof-of-concept