All found security bugs described in the security-report.md whitepaper have been reported to the vendor and fixed as of 10/25/2017.
The evil-script.js contains the evil code, which exploits the F-Secure KEY browser extension and tries to retrieve user's stored usernames and passwords.
The appropriate security advisory has been released by the vendor as well:
https://www.f-secure.com/en/business/support-and-downloads/security-advisories/fsc-2017-2