Cross-site scripting by dropping javascript: link on tab — Mozilla

Dropping a javascript: or data: link on a tab executes in the context of the site already loaded in the tab. If an attacker could convince a user to drag and drop such a link on a particular tab this could be used to steal information or credentials associated with the site in that tab...

javascript: links in Thunderbird launch Internet Explorer — Mozilla

Clicking on javascript: links in Thunderbird launched the default handler for that scheme registered with the OS. On the Windows operating system Internet Explorer is the default handler for the javascript: scheme even when Firefox is the default browser...