Erm no, it is a vulnerability, and it is there.
El Reg has just linked to the proof of concept incorrectly.
Correct proof of concept link:
(e.g. lose the 'bye.html' off the end)
Then click the BBB logo presented to open a popup with a bbb.org 'address' and his own content.