An iframe, also known as an inline frame, is something used in html to embed another document (page) within the current html document on a website. A web developer can choose the size of their iframe depending on the application. You can have an iframe as large as a page, or as small as a 1×1 pixel box making it undetectable by the human eye. Within an iframe, a person with malicious intent could embed a harmful website or utilize xss (cross-site-scripting) to execute scripts in the background while you browse the site. For example, someone could host a website and have a landing page that looks completely normal. In the background of their site however, there’s an iframe somewhere with malicious code embedded. The site could then bring up an actual legitimate login screen for a service like Google or Facebook but then their code records every keystroke you type in. For example, a person could be on a website reading an article, then be asked to sign in to “share” what they’re reading with others. Although the login process the site presents to you is actually legitimate, an iframe with malicious code on the website somewhere could record everything they typed in.
A security flaw with Microsoft’s Internet Explorer 5 back in 2002, and again in 2015 with Internet Explorer 11, allowed malicious people to utilize xss and iframes to their advantage and steal information quite easily. Usually in order for someone to use an iframe and code to their advantage they would have to get people onto their website first to be able to execute bad code and listen. However, this bug with IE5 and IE11 allowed the hackers to listen in on their site AND the other site which they placed within their iframe. This attack was widespread and very serious and was quickly addressed by Microsoft.
As far as preventing yourself from iframe exploits go, there is not much you can do. Inline frames are NOT always used for malicious purposes and are actually quite common on most sites. The best thing you can do is be extra cautious about signing into anything on a website not directly associated with the website, and keep up to date with your browser updates.