Are there security issues with embedding an HTTPS iframe on an HTTP page?

If only the iframe is https, the user cannot trivially see the URL it points to. Therefore, the source http page could be altered to point the iframe anywhere it wanted to. That's pretty much a game-over vulnerability that eliminates the advantages of https.

iFrames will expose the inner HTTPS site to numerous javascript and cookie attacks in older browsers, and may cause issues in newer browsers.

To fix this, look up "Frame Busting" to detect if iFrames are being used. Consider this solution on StackOverflow:

https://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed

In that code, you can detect if iFrames are being used, and offer alternative content to direct the user to the proper site.

A HTTPS iframe within a page served over HTTP will not allow the user to be sure they are actually using the HTTPS connection that they expect to be; therefore, this potentially allows the iframe to be hijacked in a simple attack such as an iframe injection. This would allow password harvesting, among other things. Such an attack could begin through a Trojan, a virus, or simply visiting a malicious website.