The researchers say that an attacker can use a malicious JavaScript on a public website to at least "discover internal hosts, do limited port scanning, do service fingerprinting." Among the attack ...