[magicalhippo]

Couple of years ago a significant news site here in .no had their ad network hacked. The result was that if you were browsing that site that morning, and was a customer of the largest bank in .no, you'd silently got served some software which would do a MITM attack against the online account page of said bank, redirecting any payments you did without your knowledge.

All you had to do was to visit that site with Java installed on that computer, which most users of said bank did because their 2-factor login relied on Java...

So yeah, don't click on random links.

[autoexec]

I use firefox which I've locked down pretty hard. No site gets to run active content of any kind by default. No java, not even javascript. That and all the ad-blocking really limits likelihood of my getting infected from just an initial click, but even that isn't foolproof. IE once managed to let attackers get you just by viewing an image (CVE-2005-2308)

[sangnoir]

0-days are not limited to javascript - the next one might well be in the canvas/image/svg renderer. When someone has targeted you with a 0-day and you load the site they compromised website, all bets are off.