And it's not really an Exploit, either.
1: It's javascript that tries to guess what your modems IP address is. If it's possible for javascript to find out what your IP Address is, it becomes trivial, and it it's possible for javascript to find out what your default route is, then it's solved.
2: It then tries to get into your router. I would assume there would be another js library that it would load, that could be easily kept up to date, containing fingerprints of modems so it can figure out what it is, and try the default (root/password, admin/admin, etc)
3: It then updates the DNS servers in the modem to NOT use the ISP assigned ones, but nasty ones. As your PC queries the modem (99% of the time, unless you've manually changed your DNS servers) for DNS results, if the DNS relay in the modem is pointing to the wrong root, then you'll get crap answers.
I realise they say that using OpenDNS wouldn't avoid this, but I think that's known, technically, as bullshit.