for the attack to succeed.
Of course if the victim site uses a mixed SSL policy (i.e. it's NOT forced to HTTPS neither by HSTS, nor by NoScript's explicit HTTPS enforcement, something which shouldn't be condoned to any financial institution) the attacker might be able to inject its code directly inside the unencrypted victim pages, but in order to do that he must already control your DNS and/or your network (i.e. he's your internet provider or you're behind a hostile proxy).
In such extreme (and rather uncommon) situations you should raise your NoScript Option|Advanced|Forbid active web content unless it comes from a secure (HTTPS) connection
setting to the appropriate level, even though this means browsing non-HTTPS website may become quite painful.