Okay, this has absolutely nothing to do specifically with javascript in the browser! This attack is applicable to ANY system where the application designer leaves sensitive data in a place that can trivially accessed by malicious applications if they jump through a few simplistic hoops!
Mega left user data in an essentially public place.
Mega left user data in an essentially public place.