The problem inherent with this is that the installed script is executed in the context of the last visited URL, giving an attacker the opportunity to access the domain of last the visited webpage.
For example, the attacker can run a specially crafted HTTP server which logs all incoming requests, and sends an HTTP Redirect reply that contains the victim's real homepage URL.
When the user clicks on the homepage button, he will be redirected to his original homepage, without noticing that his cookies have been stolen!
Although this is not an invisible attack, nor a very effective one (how often do you click on the Homepage button?), its strength is that it is persistent. Most people do not change their homepage frequently, so once the user has been lured into changing his homepage, months may pass before he discovers that his cookies have been stolen.
Now it is Yair's turn to find a new vulnerability in Internet Explorer :)