Anyone who can place JavaScript on a page can just redirect you to the malicious site without you needing to click anything.