An attacker could inject content into another website's window, for instance replacing a log-in pop-up window for an online bank with a page that looks similar to the bank's log-in window.
The attacker would have to know the target name of the window being replaced, and would require the attacker's website and the target website to be open at the same time.
Secunia rated the vulnerability as 'moderately critical', its third most severe security rating on a five-step scale.
A Microsoft spokesman denied that the reported flaw describes a vulnerability in its software.
The company told vnunet.com in an emailed statement that Secunia describes the issue as "a by-design behaviour in popular web browsers that allows a website to open or reuse a pop-up window".
Users will be able to tell that they have been directed to a phishing website because the pop-up window displays an address bar.
Secunia issued a warning about a similar vulnerability in Internet Explorer 5 and 6 in 2004.
Today's alert is the fourth alleged security vulnerability that Secunia has unearthed in Internet Explorer 7 since the browser was launched earlier this month.
Insecticides based on sulfoxaflor might be as bad for bees as neonicotinoids
Intel teases forthcoming new graphics card accompanied by the text "We will set our graphics free"
Think your password manager is completely secure? Think again...
ARM plans 7nm 'Deimos' for 2019 and 5nm and 7nm 'Hercules' for 2020