Cookies can be called remotely by images.
Sounds bizarre - let me explain:
For technical reasons it's possible to specifiy a script as a location for an image, for instance instead of requesting "images/pretty_pony.jpg" an image tag could request "scripts/image_vault.php?id=34021", where 34021 specifies a row in an image table that relates to the same pony image.
This means that the script has to be called to find which image the number 34021 relates to in the database, then find the image and echo it to the browser. Since a script is being run, this means you can do other things like download cookies from the server the image is stored on, or grab information stored in URL variables.
So let's say nasty-ads.net is serving images to SFN, they could use this method to deliver and recover cookies, which lets them track your browsing habits, common search terms, whatever they like.
The solution to this is to go to your browser's privacy options and customise to:
1) Block 3rd party cookies
2) Block cookies that are not from the originating server
3) If you are really paranoid, block images that are not from the originating server.