Browsers have a long and storied history of vulnerabilities that have provided attackers with a lucrative and near-endless supply of victims upon which to prey.
Code execution exploits in plug-ins
Plug-ins are probably the most well-known vector for drive-by downloads (attacks that silently download and run native code on your system). From Flash to Silverlight to Java, even plug-ins from large, reputable vendors have been repeatedly found to have vulnerabilities used in malware attacks. Like browser exploits, vulnerabilities of this type are typically patched by vendors in short order, but outdated copies of browser plug-ins far outnumber the updated ones.
Ways to avoid: Keep your plug-ins updated, and uninstall plug-ins and extensions that you don't use. Browsers are getting better at warning users about outdated plug-ins, so don't ignore the warnings.