Web applications allow external sites to include content by using IFrames. This enables an attacker to embed the malicious code beneath legitimate clickable content. An attacker can trick a web user into clicking the malicious content that the attacker can control.
The configuration to prevent this attack is enabled by default in Access Manager 4.3.