Script mine_coins.js might do that at some point in time on a site A. However, that might change. Unless you inspect the script every time you load it, you won't know now, will you?
So we have a script that does something which has to be communicated back to the site (otherwise how do they get the results of the work). But it might communicate it to another site (cause they use different domain for computation results processing, to 'streamline the process'). Tomorrow it will be upgraded to communicate with multiple other machines (in order to more efficiently process the workload, yadda, yadda). Call me paranoid but that spells botnet to me.
Now security.First, it is easier to hide nefarious stuff in 5 (10? 50?) megs of math heavy code than in a two page straightforward DOM manipulation library.Second, even if we consider your machine is protected from rooting/snooping by whatever sandbox the browser of your choice implements, it doesn't protect the rest of the world from actions originating from your machine.Third, considering heavy CPU load normal when you browse the net is a great incentive for malicious people to replace legit scripts on servers you access with something else. Today every time my computer slows down for no obvious reason, I go through running processes to find the culprit and then check what that process(es) talk to. But if every site I visit ramps up my CPU load significantly, I will get used to it. Mining bitcoins? Participating in DDOS? Cracking passwords? I wouldn't know unless I check every time.