Some of the work I do involves talking to web application developers about vulnerabilities in their applications. I've found that there is a class of vulnerability that is still catching teams by surprise - JavaScript Hijacking (that is, JavaScript based cross domain request forgeries. Your assessment tool may categories these attacks using either of these terms)