Scammers are actively using a ( http://en.wikipedia.org/wiki/Cross-site_scripting ) cross-site scripting exploit on Steam profiles to commit fraud.

Some things which can happen with cross-site scripting:

- Fraudulent store/market purchases

- Trading your items away to a scammer (if you aren't paying attention to mobile auth)

- Sending tradeable/giftable games away (mobile confirmation NOT required)

- Redirecting to phishing website within Steam client itself, potentially hijacking account

- Downloading malware (ransomware, Steam stealers, key loggers, etc)

- Other nasty things I will not elaborate on

Do not view any Steam profile links while logged in, even legitimate, until further notice. It doesn't matter whether you do this within Steam itself, the in-game overlay, or any web browser such as Edge/Firefox/Chrome. If affected, you won't see any of this happening until it's too late.

Keep an eye on your market/store transaction history and gift history for unrecognized purchases, and do not approve any unrecognized or suspicious trades or market listings from the Steam mobile authenticator. Do not assume any Steam profiles are safe to look at.

For more information: https://www.reddit.com/r/Steam/comments/5skfg4/warning_regarding_a_steam_profile_related_exploit/