The point is the iframe/JS is used to break out of the browser sandbox, due to a bug in the browser, with techniques like heap spraying (mentioned in the article).
Once you manage to get arbitrary code running in the context of the browser, you can do anything the browser can, including (presumably) making raw non-TOR connections to anywhere, identifying the TOR user and correlating that with what they were doing over TOR.
Among other things like installing arbitrary malware kits that completely compromise the machine.
Once you manage to get arbitrary code running in the context of the browser, you can do anything the browser can, including (presumably) making raw non-TOR connections to anywhere, identifying the TOR user and correlating that with what they were doing over TOR.
Among other things like installing arbitrary malware kits that completely compromise the machine.