>"Specifically, we think that JavaScript has been injected into your site by a third party and may be used to redirect users to malicious sites"

Funny, there was just a discussion here yesterday asking "Why would anybody use NoScript?"

I'm pretty sure anyone savvy enough to install NoScript would notice if he/she was redirected to a malicious site.

Nothing says the current user of the machine is the tech-savvy installer. My mother's comp has no-script on it, but she is in no way strong technologically.

A "mom-level" user may well enable scripts when prompted by an artful redirect like say:

1. A clone of your bank website (if you were headed there)

2. A page-not-found or server error page that looked normal..

3. the old "virus alert" scam

The malicious site could exploit some vulnerability in the software you're using though.