This page contains two script tags:

  1. One refers to a JSONP endpoint which returns callback({});, where callback is the value of the query parameter called "callback".
    The endpoint only accepts alphanumeric values for the callback name, but is still vulnerable to the Rosetta Flash attack.
  2. The other refers to an endpoint which always returns func({});.
    The URL in the src attribute of the script tag supplies a query parameter callback=func which may trick some scanners into thinking that the endpoint is vulnerable (as the response begins with the value of a query parameter).