You know those nifty "Widgets" that MacOS X 10.4 supports; those lightweight HTML/JavaScript objects that sit on a special desktop layer and can show you the weather/train timetables/your iTunes playlist/how all those APPL shares you bought are doing? Well, they can automatically install themselves without your consent, as
this page demonstrates. The author even provides a
goatse.cx widget (not auto-installed, mercifully) to underscore the potential for mayhem.
Meanwhile, a carefully-constructed trick webpage can cause Firefox to execute arbitrary code on any platform (such as, say, installing rootkits or botnet clients). The Mozilla Foundation have patched this, though it's not in the Debian distro yet.
It's odd that you would mention debian - is that what you are running? Or is that what dev\null is served from?