Report Offensive Message

They could still just display an advertisement, but have the page it loads have scripts as well.
You can always iframe to a page that just displays an image and has a script in the header that runs on load. A user would never know.
Instead, iFrames need to be changed so that you can't iframe in a source that not from the same root address. And if you try, the browser should give an allow/deny warning.