Attacks are carried out via user-created eBay stores
Since this issue was discovered on December 15, 2015, and on January 16, 2016, eBay’s developers said they won’t fix it, Check Point’s staff did not reveal in their vulnerability disclosure how did they managed to load the JSF**k library on the eBay store.
The JSF**k attack is invisible to eBay’s security system
Since the malicious JSF**k code is only made up of the [, ], (, ), !, and + characters, this attack won’t trigger any of eBay’s XSS and CSRF security protection systems, which don’t check for the presence of any of these items.
Besides creating the malicious code and the eBay store to host it, attackers only need to distribute their store’s links to desired targets.
Check Point provided two proof-of-concept videos to demonstrate their attack.