There are a wide class of application security vulnerabilities known as "stored cross-site scripting", which generally means that, when you visit a website (regardless of its repute), some code that was not designed by the website owner begins executing on your computer. 99.9999% of the time, the code that starts executing is JavaScript. The JavaScript can sometimes successfully trigger the execution of other code, such as Flash, Java applets, ActiveX, and so on. They can also cause popups, install malicious tracking cookies, and obtain things like your screen size, user agent string, the website you came from, and may even be able to set up Cross Frame Scripting, a related attack where you think you're interacting with the current website but actually interacting with an attacker's website.
The reason why these attacks happen is that websites allow unvalidated input to be entered on the website, and then retrieved later for display. Sometimes this happens because of an insecure webserver, and sometimes they just don't do proper input validation.
This is extremely common on websites such as forums, message boards, and "Comments" sections of content management system (CMS) websites; basically, anywhere that users can enter their own data. Superuser, in fact, is one example of such a site.
There are ways to defend against and/or prevent these attacks, but they're extremely common. The Open Web Application Security Project says that Stored XSS is/was the #2 most dangerous application security flaw in 2010. It provides ways for website owners to attempt to test their website for these vulnerabilities using their tests, for example, here.
2The site might be reputable, but that doesn't mean the adspace in the reputable site is – Chad Harrison – 2012-08-07T16:12:53.283
Very true, so you have several shots at being taken out, compromised reputable site, reputable site with an XSS vulnerability or a reputable site hosting ads that get swapped for infectors. I've seen all the above in the last six months. – Fiasco Labs – 2012-08-07T16:54:12.360
I actually saw an injection method where Javascript brought in the ASCI representation of VBscript where the VBsript was later converted and invoked by the browser coming from Brazil. This came from an ad from reputable site (can't remember now). – Chad Harrison – 2012-08-07T17:35:44.293