Secunia has reported of a vulnerability allowing a third party to hi-jack, for instance, pop-ups from an legitimate site.

In other words, a malicious site would be able to direct a user to a real site (for instance a bank) and take over any pop-up such site might open (a login screen), leading to any data entered there being instantly compromised.