Internet Explorer 11 on Windows 8.1 and Windows 7 is presently affected by a universal XSS flaw. This bug allows an attacker to craft a malicious website that can then inject or steal information, such as authentication cookies, from websites the victim interacts with.
Words sometimes only go so far to explain the nature of such an attack. This proof of concept harmlessly demonstrates the power at hand.
Microsoft has acknowledged the exploit and is working toward a fix. In the meantime, your options to protect yourself are limited. Since this is a flaw with the way the rendering engine enforces the same-origin policy, tricks like Enhanced Protected Mode and even the Enhanced Mitigation Experience Toolkit are going to be ineffective.
- Go to Internet Options (either through the control panel or the cog wheel in IE11)
- Security tab
- Make sure Internet Zone is highlighted
- Click Custom Level
- Scroll down to Scripting category
- Set Active scripting to Disable