As you can experience though this Secunia Multiple Browsers Frame Injection Vulnerability test page and recently reintroduced into Firefox, other websites can easily inject their own page into a frame from another website. How does it work? Just set the link target to the name of the victim's frame.
Note that older unpatched version of browsers that allows cross-domain script access to frame names are still vulnerable. I've checked that IE6 SP2 and Firefox 1.0.4 do not. Not sure about others though.
Caveat: I whipped this up after only a brief study of the vulnerability today so beware that it is offered only as-is.