There is a potential user-triggered vulnerability that stems from the lack of content validation.
If a user clicks on the link blahblahblah.com/somePic.png, AVAST SafeZone, Chrome, FireFox and IE do not validate that the content is actually a PNG file.
This means that a malicious site can entice somebody to view a picture, load the HTML and scripts in response to the .png GET REQUEST, and then dump an actual png file after that so that he would not be the wiser about what just happened.
I believe that files for known extensions should be checked, and users seriously warned before the browser actually displays anything (and run scripts).