browsers run scripts by default, then clicking a malicious link ...
Another big problem is application permissions, for example, secure application once running, scripts can be executed, loaded dlls, exe files to be downloaded in the background (such as images, text files, cookie ...)
scripts can execute commands like "file:///" directly by the browser
