Google has just released yesterday a new version of its toolbar (v2.0.114-5) to fix some vulnerabilities. It's not possible anymore to inject code remotely on MS Internet Explorer.

According to SecurityTracker, it was reported that the 'About' section of the Google Toolbar did not properly filter HTML code. A user could create HTML that, when loaded by the target user, will invoke the About page and execute arbitrary scripting code in the context of the page.

Google Toolbar v 2.0.114-5

Via Inside Google and Dirson.