These vulnerabilities import JavaScript from bad sources that are not necessarily owned by the page owner. For more details, see http://blog.securitee.org/?p=255.

• Script inclusions from locahost, for example http://127.0.0.2/localhost_import.js
• Script inclusions from private-network IP addresses, for example http://192.168.1.2/private_network_import.js
• Script inclusions from non-registered domains or typosquatting domains, for example http://g00gle.com/typosquatting_domain.js