Hi Paul McKeown,
On the original website reported there is also rollover.js script vulnerable to code injection via document.writeln etc.
In 2014 an iFrame that seamlessly redirected browsing users to an exploit was buried in one of the Javascript files that were served by the web server specifically at hxxp://www.hatobus.co.jp/js/rollover.js." So such malware schemes are definitely probable (note from me, pol).
With non-properly parsed URLS there onmouseover is XSS-exploitable.
XSS-Dom Results from scanning URL: htxp://chessarbitersassociation.co.uk/assets/rollover.js
Number of sources found: 17
Number of sinks found: 6
polonus (volunteer website security analyst and website error-hunter)
P.S. For the watchmytraffic counter malware read:
http://jira.jtalks.org/browse/JC-1553D