How do they perform transactions? I need a separate device, which I stick my card into and give the initial code from the bank, along with the value of the transaction and receiving bank account, I then need to punch in the resulting number.
Even if they hijack the initial code, they can't do anything with it, because it would still produce an invalid code for their transaction, because the other amount and other receiving account number would generate a different checksum... Even the automated version, which shows and "animated barcode", it still gets me to double check amount and account number before giving me the resulting code.
Unless they can somehow get my devices seed (which is not possible without physical access to the device and completely dismantling it, removing the encrypter chip and sticking the chip in some sort of reader (and even then, I don't know if they could easily read the seed) and a) the device would no longer work and b) it would be obvious to me that I'd been "hacked"), I don't see how JavaScrtipt injection is going to do anything useful.