Yes or it could be a site they visit regularly that has been hacked. Or a site that hasn't been hacked but that has JS from an ad network on it that has been hacked or let through a vulnerability. These are very scary hacks.
Update: I wrote up my recent experience of a shady advertising buy that appears to have spreading malware (likely via Java) as a goal http://news.ycombinator.com/item?id=5305092
Update: I wrote up my recent experience of a shady advertising buy that appears to have spreading malware (likely via Java) as a goal http://news.ycombinator.com/item?id=5305092