@DoctorB — I am dismissing the PC World hatchet piece as clickbait, out of hand. I’m not sure if you stopped reading after the first sentence of my response, and assumed I was referring to FlashPoint.
As for the FlashPoint.io report, I tried to summarize its shortcomings in my response above. It is a rehashing of an old vulnerability, so it doesn’t need to be written up as if it were some newly discovered exploit. Furthermore, the iframe issue is an infrequently encountered variant of a larger class of vulnerabilities — i.e, invisible forms injected by third-party scripts (typically websites use iframes only as a fallback within a <noscript> block for browsers that can’t run scripts). Note that the script-based variant of this type of attack has actually been observed in the wild, on approximately 0.1% of the top million websites. The same can’t be said about the iframe “vulnerability” being touted by Flashpoint. Flashpoint claims to have created a working exploit, but a paid subscription is required to access this demonstration, so there is evidently a profit motive behind the publication of their report.