
Erm no, it is a vulnerability, and it is there.
El Reg has just linked to the proof of concept incorrectly.
Correct proof of concept link:
http://liudieyu.com/kissofthedragon.32168816196486005/
(e.g. lose the 'bye.html' off the end)
Then click the BBB logo presented to open a popup with a bbb.org 'address' and his own content.