The attack works because NoScript has a limited whitelist of trusted domains, allowing the host browser to load commonly-used tools from certain content delivery networks like googleapis.com. This feature tries to preserve websites' functionality while simultaneously blocking any potentially malicious code.
Because the extension will implicitly trust any subdomain whose parent domain is present in the whitelist, Särud found that NoScript will trust the storage.googleapis.com subdomain, which hosts Google's Cloud Storage service. He uploaded a small test script there, which cleanly got past NoScript.
Särud built upon the work of Matthew Bryant, another security researcher, who found that the whitelist itself was stale—it contained the unused domain vjs.zendcdn.net. Bryant registered zendcdn.net for a mere $10.69, and put up a proof-of-concept script that NoScript dutifully let through.
Both Särud and Bryant contacted NoScript's author about these issues. An updated version of the extension that closes the loopholes noted above is now available, so NoScript users should update immediately.