From bugtraq:

Description: Google's custom websearch does not prevent javascript from
being inserted into the url of the image, allowing malicious users to modify
the content of the google page allowing in phishing attacks, or silently
steal search terms/results/clicks or modify actual searches to always
contain controlled results. With Googles trusted status, the risk is almost
certainly high.
In IE:
http://www.google.com/custom?cof=L:j...39;SodaP')

The exploit has been public for over 2 years, and google have been informed
on multiple occasions.
This may not be very harmful except for phishing attacks, but why wouldn't google fix it regardless? Last thing Google needs is a reputation of late bug fixes, considering the expansion of services it is currently going through.

Hmmmm..... Gmail cookies and XSS? Any possible problems with saved passwords? Gmail doesn't have a /custom interface does it?