Yes. Malicious websites can exploit browser vulnerabilities or trick you into installing "codec updates" that are actually malware.
