As the sites affected will be trusted sites (banks etc.), will the XSS protection still apply if the user has allowed scripts?
I don't know exactly, the way I see it (and I could be wrong) even if you have allowed scripts for a trusted site the XSS continues to function. But that would really have to be confirmed by NoScript.
As I read it, the malicious link will not be on the bank website. (Probably in a spam email?)
The phishing page visited will display the Flash marketing graphics from the bank but with malicious code injected which is able to steal user information from the bank site.
As far as I can see. there's no danger from visiting the page with the vulnerable Flash content itself, but I stand to be corrected.
This is probably more to the point of security, practising safe hex, don't go clicking links to sites in unsolicited emails. I would like to hope most people are now aware that banks don't send out emails asking for you to update your security details, etc. etc. I get lots of emails purporting to be from my bank when one I don't have an account (in America, etc.) with them and nor do they have my email.
But in any case even if it were a legit email from your bank, it is still unsolicited, you weren't expecting it and should be treated with caution. If I want to connect to my bank on-line, I either type in the URL myself or use a bookmark, never the link in an email. I also check the underlying URL not just the one that is displayed. I also filter my email with MailWasher before it gets to my inbox and this is where virtually all phishing emails die along with my spam.
So Yes there will be a new exploit along any time now so yes we need to keep software up to date but at the same time not to forget common sense and safe hex.