FlashGot + JDownloader exploit-walmart.com -NoScript bypass?

[bvianna]

Dear Sirs,

Yesterday I was browsing the videogames session at 'www.walmart.com'
Yes 'www.walmart.com'.
Suddenly, my Ubuntu system freezed. Only the mouse pointer movement was still responding, but the mouse clicking wasn't.
It took about 1 minute in this state. Then JDownloader opened and asked me (as a warning) that an external application (flashgot) was accessing it whether I would allow the access to proceed or not. In fact my flashgot is associated to JDownloader, BUT, I didn't click in anything to download at all!
But, as I said the mouse click wasn't responding. There was a countdown on the JDownloader window and the default option was 'allow'.
I didn't have time to start another tty and kill the JDownloader before the (supposed) malicious code executed.
I'm almost sure that this was a flashgot + JDownloader exploit that was able to bypass NoScript.
Furthermore, analysing my apparmor logs I also noticed that a Java code had executed from the Icedtea-Web plugin and it tried to execute my '/bin/which' apparently even before JDownloader starts.
I tried to trace the exploit source and I believe that it might be the site 'http://wtags.bluekai.com'.
Could you check this out?
Was this a XSS attack?
Wasn't NoScript supposed to block it?

Any help would be really appreciated.

Thanks in advance.
Bruno

Additional Information:
---------------------------------
Link:
http://www.walmart.com/cp/413799?povid= ... _GAMES_PS3

Before the exploit execute I had allowed the following domais:
wallmart.com
channelintelligence.com
walmartimages.com

[Giorgio Maone]

There likely was no attack at all.
FlashGot may have been accidentally triggered by a middle-button/drag south gesture.
FlashGot does invoke /bin/which several times to figure out the paths to installed download managers (in JDownloader's case, to figure out the path to the java executable and launch JDownloader if it's not already running).
First time JDownloader gets a communication from FlashGot (via a HTTP request on http://127.0.0.1:9666/flashgot ), it asks for permission in order to prevent other possibly malicious applications from abusing the same interface.
The "lock" you experience in the browser may have been caused either by the "Allow" dialog spawned synchronously by JDownloader or by App Armor objecting to FlashGot's preliminary checks.

That's all, the behavior you described can be easily explained in non-malicious terms provided that you've got both FlashGot and JDownloader installed in your system

[bvianna]

Thank you very much indeed Sir
I've never experienced anything like this before, nonetheless you must be right.
I feel more relieved.
By the way congratulations for the firefox extensions.