An ill-conceived feature in the widely used Acrobat Reader renders many websites vulnerable to client Cross Site Scripting. The flaw requires user action but is easily exploited in numerous ways.
The Universal PDF XSS flaw was discovered by Stefano Di Paola and Giorgio Fedon, and uses a feature known as "Open Parameters" in Acrobat Reader to permit Cross Site Scripting with JavaScript injection. Symantec's Hon Lau has written a good blog entry on the issue.
SecurityFocus