Drive-by downloads are the processes by which a malicious site can download content to the user’s computer without that user having any knowledge that it is happening. This is not a problem exclusive to iframe security, but since using an iframe to secure an application allows the application developer to run any frontend code she wishes, the potential for drive-by downloads is magnified.
Drive-by downloads may mimic the functionality of a pop-up window. When attempting to dismiss the pop up, the user may inadvertently download spyware, malware, or viruses onto his system. These pop-up windows may appear as error reports, advertising, or any other deceptively common message. Since the user’s action initiates the attack, he is considered to have given consent to download the malicious package.
This is just one of the methods that a malicious developer may employ. Drive-by downloads take many forms and can be a prevalent problem when third-party code is allowed to run unchecked within an application container.