SPI Labs has discovered a practical method of using JavaScript to detect the search queries a user has entered into arbitrary search engines. All the code needed to steal a user’s search queries is written in JavaScript and uses Cascading Style Sheets (CSS). This code could be embedded into any website either by the website owner or by a malicious third party through a Cross-site Scripting (XSS) attack. There it would harvest information about every visitor to that site.
You can download it from the following link: https://packetstormsecurity.com/files/download/50593/JS_SearchQueryTheft.pdf
Source: https://packetstormsecurity.com/files/50593/JS_SearchQueryTheft.pdf.html