It shouldn’t be, and it’s relatively rare on the modern web. But to display a web page, your computer receives instructions on how that web page should operate. In other words, it is executing code written by someone else, and that always presents some security risk.

Browsers are *supposed* to box this code up in such a way that it can’t get at the rest of your computer, but an inescapable sandbox is hard to build, and attackers are always finding new vulnerabilities to try to escape it (and the major browsers are patching those vulnerabilities as they find them).