Code execution exploits in the browser
This is the most egregious type, and also the rarest. Occasionally attackers will discover a vulnerability in the browser itself that allows execution of arbitrary binary code when a user simply visits a compromised site. Browsers are complex pieces of machinery with many subsystems (HTML rendering, JavaScript engine, CSS parser, image parsers, etc.), and a small coding mistake in any of these systems could offer malicious code just enough of a foothold to get running. From there, the malicious code has lots of options – downloading other malicious packages, stealing sensitive data and sending it to servers abroad, or silently waiting for further instructions from the attacker. The attacker doesn't even have to compromise a legitimate site to host such an attack – advertising networks have been used to distribute malicious code on otherwise secure sites.
Ways to avoid: Turn on automatic updates in Windows and in your browser of choice. This type of vulnerability is usually quickly patched by the browser or OS vendor, and so attackers have a very short window in which to use it against fully updated systems. You're probably not the target that they're going to use this rare and valuable zero-day against.