All Web-based spyware is dependant on being able to exploit features and security vulnerabilities within a Web browser to infect a computer; without the features and flaws, infection isn't possible.

One of the most common methods of attack is through ActiveX controls. These are small programs downloaded to your computer to provide special functionality not available through basic HTML (Hypertext Markup Language) script, such as a Web-based interactive pie chart creator. However, because these are executable programs whose purpose is to extend the functionality of the Web browser, the developers of these controls have extensive access to the internals of both Windows and the Web browser.

Similarly, the active scripting functionality within Internet Explorer is a two-edged sword. Many security vulnerabilities have been found within both the ActiveX management system and the active scripting system, and the access these systems are granted by default makes it extremely easy for a malicious Web site to infect a computer.
Internet Explorer Security Zones are supposed to prevent these types of security issues, but unfortunately, even this system has been proven insecure.