Note: Safari will show the attack URL as invalid or invalid.invalid. That's good. It looks like Safari isn't vulnerable because it doesn't support punycode. Chrome and Firefox are vulnerable because they do. I think the fix here is to fix punycode, but I don't know enough about the internals of this exploit to be totally sure.