If it's just the form and captcha, depending how the captcha is created, you may be able to copy and paste.
There aren't any substantial security risks with doing it that way, so nothing going to stop them. If it's on the client site in a web page, there isn't much that can be done (I can take any HTML form on the web and run it, most will work). Now there may be some server site checks (such as checking which domain it came from), but as long as the server isn't restricted based on that (which it usually isn't), it'll work.
One thing you should know, though, is when they submit the form they will be taken to site B, away from your site, so you should pop it up in a separate window or something.