I just tested it on a Samsung Galaxy S3, in several forms (as src in link, script, img, video and object elements, as well as the href in an a element). Nothing happened here.

Android Central reported that the (verizon) S3 was not vulnerable to this attack.

http://www.androidcentral.com/major-security-vulnerability-s...

Edit: Found some postings on xda-dev that the GS3 is vulnerable. Could depend on firmware version, I know a system update came out recently on Sprint.

I just tried it on the S3 test device here at work. No go on either putting it in a web page, or going through a QR code.