A little more than half a year ago I wrote an article on how security solutions using whitelists are better than those using blacklists. At the same time I noted that even using whitelists is not always enough — for example when your whitelist is predictable and the attacker can make sure the whitelisting rule applies to him. NoScript extension was the example I used, and its author reacted by adding “XSS protection” assuming that this would invalidate my claims.
Now RSnake was in a much better situation than the majority of NoScript users. He did not only notice the attack that executed in background, he probably didn’t even have a single entry in his NoScript whitelist to be exploited. Too bad that 99% of the users never configure anything — meaning that they still use the default whitelisting entries that NoScript comes with and that I warned against a while ago. Instead of cutting this list down to the bare minimum (ideally: zero), the author kept four (!) of his domains on the default whitelist — and Google ads, just to make sure he still gets money from people forced to visit on each NoScript update (which happens approximately once per week).
To reiterate what I already stated before: if Firefox users ever come under attack (hardly ever happened so far, at least if you run the latest Firefox version) — for the vast majority of users NoScript will not be a help. It tends to stop lots of harmless (meaning useful) stuff but cannot be relied on when it comes to the attacks it is supposed to stop.