The vulnerability is that Mozilla/Firefox is able to open XUL files in remote server. XUL is an XML format for user interfaces. It is a feature. But unfortunately someone can create an XUL that looks (and functions) like Mozilla/Firefox.
This trick only works for popup window if no taskbar and status bar. If you open the XUL with normal window or tab, you'll notice that it is fake. In case if you don't have Mozilla/Firefox (you should), here is a screenshot taken by me:
Beware when you are viewing popup page from untrusted sites. ;-)