The weak point as usual are the endpoints. The attack vector described in these documents is JavaScript via some library called E4X. Makes me wonder why Tor bundle doesn't come with NoScript enabled by default.
Utopistically, how nice would be if the whole web provided no-javascript versions of the sites? In the end 90% of the cases javascript is used just to do fancy things, while actual functionalities could be achieved with much less pain (and vulnerability).
I think this would have been true a few years back, but I think more and more web-sites are using javascript in irreplaceable waves. I suspect javascript will become increasingly necessary as frameworks like angularjs become more popular. That said, if you are just interested in buying a pizza, or reading a blog post, then maybe javascript will never be really necessary.
