Netscape Communicator 4.6 Win95 (probably all 4.x) allows code injection in the "about:" protocol.
The problem is injecting JS code in "charset" and then executing it after opening "about:document".
Reading user's cache
Reading Netscape's configuration ("about:config") including user's email address, mail servers and password.
This page demonstrates reading the first URL in your cache.
(The source is so complex because you cannot use ";")