Exploit of basic JavaScript?
I would imagine, since it involves most browsers, that it must involve something common between them. If it's tricky to solve, then it probably involves a basic function, such that crippling it would result in collateral damage. I once recall a simple JavaScript function that allowed one to post arbitrary text to the status line. Combined with an onMouseOver event you can create a false address that can't be detected unless one had the gall to look at source code.
Then again, this exploit may be similar but different, but it must use a common link to affect so many browsers.