More technical users should also be aware that revoking CALL_PHONE permissions would serve to block this attack within any HTML-rendering app (via chrisfu at XDA).
On waking this morning we see there have naturally been further developments overnight in relation to this issue.
Firstly, it has become clear that for the most part only handsets running TouchWiz are affected. That said, users have replicated it in CM7 based ROMs, and a number of HTC devices also. It does seem quite solid at this point that if you're happily running a more recent version CM/AOSP/AOKP you're unaffected. Furthermore, it seems the vulnerability is tied at least as much to the dialler as it is to the browser, as the optimistic early advice to just use Chrome appears flawed, with users able to replicate the exploit from within Chrome also. There are also reports that recent Samsung firmwares, such as the DLIB official Jelly Bean build from Poland are unaffected for this, but it seems slightly premature to suggest this is confirmed. Bottom line is that the full extent of this vulnerability is not presently known.
To put of this in context lets not forget that the Galaxy SII is affected here: this means the exploit has likely been available for over a year now, and there are ZERO affected users. This could just end of being the a typical "Android security scare" non-event. That said, now that the exploit is widely known that may change, and as always it's better to take preventative measures than suffer the potential consequences.
With that in mind, the best information presently to hand suggests installing Dialler One as a workaround, which doesn't automatically open the codes (also, if you do not set the default dialler after installation you will be offered a choice of which dialler to invoke giving you an opportunity to back out of opening the link).