In a few words:
While other browsers do not allow particular charaters in sub domains, IE does. Hence it's possible to abuse that behavior to exploit referrer based DOM Xss.
Some more words about it:
write('<sc'+"ript src="http://Host/image.gif?t="+c+"r="+(referrer.split("/"))+"></sc"+'ript>'); //updated to match host only referrer
Immediately some question came to me: « Is it actually exploitable? Do any browser allow HTML special characters in subdomain, like '">heyThere.mindedsecurity.com? »
After testing some browser I saw that Internet Explorer does allow them.
So we set up a DNS which always returns the same IP no matter what subdomain is requested.
That means that it's possible for an attacker to request
"onreadystatechange=eval(name).attacker.com and use it to abuse IE host behavior and exploit
pages vulnerable to DOM Based Cross Site Scripting via referrer.
Nota Bene: At the moment the wildcard DNS is private. But we'll release
a basic service to test referrer based DOMXss. So, stay tuned for updates.