There is a security bug in Netscape Communicator 4.6 Win95 (guess all 4.x versions are affected) which allows executing code in the "about:" protocol.
The problem is injecting JavaScript code in the cache.
If you enter a special URL containing &{JS CODE}; in the cache, the JS Code is executed when the cache is opened.
Note that the problem is not the "data:" protocol but &{JS CODE};

Workaround: Disable JavaScript.
Go to Georgi Guninski's home page