Comment by jakub_g

I've started thinking about all those banks [1] and other pages serving like/tweet buttons on the login page.

Or pages including Google Analytics. If the described behaviors really take place, given the massive scale of deployment of Google Analytics, Statcounter, FB buttons, jQuery includes from CDNs, you should be able to do arbitrary JS injections to a non-trivial number of users (though very random).

[1] http://my.opera.com/hallvors/blog/2012/05/11/social-media-ba...