A vulnerability in IE 11 has been announced by security researcher David Leo, which has yet to be patched by Microsoft. This zero-day vulnerability, termed as Universal XSS, bypasses the Same Origin Policy (SOP) implemented by IE. SOP ensures one site cannot access cookies or other content set by another site.
Being able to bypass SOP means that an attacker can steal anything from another domain (site), and inject anything into another domain (site).
A proof-of-concept has been put up on the domain deusen.co.uk. This is the attacking domain. The target domain is dailymail.co.uk, whose content is changed to include “Hacked by Deusen” by the former.