It looks like the POC code forces a Safari user to visit the Daily Mail URL, but the script " quickly loads another URL before the legitimate page can be loaded "Jeremiah Grossman of White Hat Security at Ars Technica explains." He talks about a clever hack.
This is only a demo but malicious exploitation could be much more serious like stealing login credentials or installing malware from a site that we believe to be trusted. For the moment, there is no report of such an attack in the wild.
The vulnerability – dubbed iWhere – affects the most up-to-date versions of Safari for both OS X and iOS. The find is that of a group of security researchers known as Deusen. This group had been talked about last February by disclosing a cross-site scripting (XSS) vulnerability affecting Internet Explorer and leading to hardly detectable phishing.
It remains to be seen what will be the reaction of Apple.