[ultimoo]

Yes, I think what the original article is saying is that the cookie could have been altered by a rogue browser extension/virus on a user's computer, which could be then potentially used to import a script from a different origin into the user's page.

[cheald]

If I have my malware on your computer, I'm just going to use it to steal your cookie (any other sensitive information) directly rather than perform some convoluted roundabout XSS. :P

[brodney]

If you wanted to access a company's server, this actually sounds like a reasonable attack vector. Get malware on someone's computer and use it to perform SQL injections. It depends on what information the attacker is after.