So website with bad script injected is loaded by the user and is able to make requests to a logged-in banking website with time-based/scrolling attacks.