The damage can be wholly prevented if it's a malicious embedded script/frame, in which case script control will stop it dead in its tracks. That's why I'd love to know the link so I can test it.
No worries. It would just be interesting to hear how things go if she utilizes some form of "lightweight" script control, as I suggest in post #13 Also, if she uses Chrome or related browser, could you get her to type and enter in the address bar: Code: chrome://sandbox then see what she gets? She should see something similar to: Sandbox Status SUID Sandbox No Namespace Sandbox Yes PID namespaces Yes Network namespaces Yes Seccomp-BPF sandbox Yes Seccomp-BPF sandbox supports TSYNC No Yama LSM enforcing Yes You are adequately sandboxed.