Just seen a yahoo e-mail exploit stealing yahoo cookie from yahoo email.
This is no good..
Yahoo mail is XSS vulnerable as it failed to validate FROM field Email Header
You receive a email exploit and you open in it in browser that it, external script runs in current session that sends your cookie.
Exploit – http://pastebin.com/GpNs0ACX
Response of url embedded in FROM field returns a script that tries to inject an Iframe whose src is called that exfilterates cookie. and below if it Failes, uses IMAGE SRC to exfilterate Yahoo Cookie.
Hope Yahoo fixes asap.