Here is a proof of concept in what I'm calling NAT Pinning ("hacking gibsons" was already taken). The idea is an attacker lures a victim to a web page. The web page forces the user's router or firewall, unbeknownst to them, to port forward any port number back to the user's machine. If the user had FTP/ssh/etc open but it was blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.
In short, he exploits a smart mechanism in modern network equipment, which graciously and "magically" NATs on the fly arbitrary ports when certain handshake patterns are detected in outbound traffic, allowing (usually older) protocols which require a "call back" connection (like FTP, IRC or SIP) to work properly.
Good news is that ABE can prevent exploitation without hampering the useful functionality. If you're concerned about this issue, you just need to open NoScript Options|Advanced|ABE and edit the "USER" ruleset, adding the following rule:
# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports) Site ^https?://[^/]+:[0-35-7] Deny
Bad news is that Java, Flash, Silverlight and maybe other plugins can open raw sockets bypassing any browser control, including ABE. Just another reason to keep them at bay.
Thanks to Thoughtcrime for bringing this to my attention, and to Samy for the chat we had this afternoon.