While performing online banking using a browser, your friend received a message with a link to a website. Upon clicking the link, another browser session opened and displayed a funny video. Later, your friend received a letter from the bank indicating that his account had been accessed from another country and an attempt to transfer money was made. The bank asked him to confirm the transfer. What vulnerability did the attacker exploit to carry out this attack?