The popular desktop and mobile bitcoin wallet, Electrum, was updated yesterday to version 3.0.4 and then to 3.0.5 in order to protect against a vulnerability which could allow attackers to siphon off bitcoins off a wallet with JavaScript on a webpage. In other words, if you’ve ever had Electrum open with no wallet passphrase set, and had a web page open, you could have been compromised.
As the vulnerability allows random websites to steal your wallet via JavaScript, the general advice to users is to shut down Electrum right now if they are running on an older version, and upgrade to Electrum 3.0.5, making sure to check the PGP signature and verify that the software is legitimate.
It’s also possible that your wallet has already been compromised and the bitcoin has been left alone, for now. If you want to be prudent it might be best to move your bitcoin to a completely new wallet created on Electrum 3.0.5 or above. With that said, if your wallet had been compromised, there’s a good chance it would have been emptied by now, if you didn't have a passphrase.
If you've always used a passphrase then an attack could get your address and transaction information from your wallet and change you Electrum settings, which "could have a high chance of being exploitable further." Those who have always used a passphrase may not have to worry so much but it's still a good idea to move to another wallet too, just in case.
The bug is also thought to affect altcoin derivatives of Electrum including Electron Cash. If you use any of these alt-clients then its best to shut them down until their maintainers have published an update for their software.
Source: Bitcoin Talk