I'll quote Michal Zalewski, who discovered the vulnerability (http://seclists.org/fulldisclosure/2007/Jun/0026.html):

When Javascript code instructs [the browser] to navigate away from a page 
   that meets same-domain origin policy (and hence can be scriptually 
   accessed and modified by the attacker) to an unrelated third-party 
   site, there is a window of opportunity for concurrently executed 
   Javascript to perform actions with the permissions for the old page, 
   but actual content for the newly loaded page, for example: 

     - Read or set victim.document.cookie, 

     - Arbitrarily alter document DOM, including changing form submission 
       URLs, injecting code, 

     - Read or write DOM structures that were not fully initialized, 
       prompting memory corruption and browser crash. 

Proof of concept located at http://lcamtuf.coredump.cx/ierace/

Confirmed vulnerable on fully-patched Tiger installation with nightly WebKit build r22026.