We've known for quite awhile that WPAD/PAC is a problem and supporting it by default is even worse. Exploiting browsers via JavaScript:

https://www.youtube.com/watch?v=3vegxj5a1Rw

Rendering JavaScript and other bad things that are apparently still embargoed in the context of an HTTP 407 with WPAD/PAC being one vector to get in the middle:

http://www.falseconnect.com/