Arstechnica has the story
Browsers are generally designed to prevent a script from one site from being able to access content from another site. They do this by enforcing what is called the Same Origin Policy (SOP): scripts can only read or modify resources (such as the elements of a webpage) that come from the same origin as the script, where the origin is determined by the combination of scheme (which is to say, protocol, typically HTTP or HTTPS), domain, and port number.
The SOP should then prevent a script loaded from http://malware.bad/ from being able to access content at https://paypal.com/.
The bug breaks the proper handling of SOP. The answer is to use a different browser, such as Mozilla’s Firefox, Opera, or Google’s Chrome.