Thanks for the heads-up.
I realize this deals with code stored on the same server, which sets it apart from a normal XSS attack, but am dubious as to how effective the exploit would be if you were using Firefox with it set to warn on redirection, with the NoScript extension,
which provides some XSS protection, didn't have the site whitelisted, and didn't allow JS globally, but you can't be too careful.
I do use Yahoo email but still use the old style form which doesn't require JavaScript to be enabled.