Scanning a QR code that contained a javascript: URL would have resulted in the Javascript being executed.
