It shouldn’t be, and it’s relatively rare on the modern web. But to display a web page, your computer receives instructions on how that web page should operate. In other words, it is executing code written by someone else, and that always presents some security risk.

Browsers are *supposed* to box this code up in such a way that it can’t get at the rest of your computer, but an inescapable sandbox is hard to build, and attackers are always finding new vulnerabilities to try to escape it (and the major browsers are patching those vulnerabilities as they find them).

Website can trick a user into downloading and executing a program containing the virus. Usually because user was promised something by the website, like a rewad or porn. And there are plenty of computer illiterate people who can be tricked like this.

It’s like waterproofing a basement. You have all the tools and materials that the industry tells you are right (web browser).

But the home builder (operating system) or manufacturer of the tools (also OS, or 3rd party libraries) may have made mistakes in their construction/materials.

So you water proof a basement (your web browser), but water still gets in (virus) because a sink hole opened up nearby, because your water line broke while you were on vacation (looking at a porn site).

Enough time and effort, sure we could find every chance of water leaking or sink hole risks. But annoyingly, it’s economically more efficient to respond to some of these things rather than hunt them down.

That’s why we have anti-virus software (insurance) that helps us most of the time, but not always (above your policy maximum).

TL;DR people make mistakes and it’s often cheaper to react to them than proactively hunt them down. A web browser is no different and can be tricked into doing things it shouldn’t.

To see a website your computer must download and save all the information on your computer.

Afterwards your web browser will read this information and display you a website.

The browser is supposed to isolate this process from accessing the rest of your computer. But developers are not perfect and as such this isolation is not perfect either.

That’s why it’s important to keep your browser up to date. If you use old browsers you run into risk of someone taking advantage of known error, which was already fixed.

This is by no means common.

Don’t click on anything that says, “clean my mac” It installs PUP malware onto your device and it’s really bad.