[wtallis]

If you browse with NoScript in default-deny mode, you're probably also the type to use RequestPolicy which would prevent irrelevant sites from running a script off vjs.zendcdn.net

NoScript isn't a comprehensive security/privacy suite. It's just a crucial component.

[TheDong]

RequestPolicy won't save you if the link is to a subdomain of vjs.zendcdn.net which is whitelisted, but also the site you're visiting.

[wtallis]

Right, if you get tricked into visiting the site then first-party scripts can run. But with XSS protection intact and RequestPolicy preventing any third-party access, the scope of possible attacks is pretty narrow.