True to a certain extent.

There are exploits out there that use javascript, java or active-x in your web browser to bypass NAT too.

"I'll just disable javascript" you say ? They say "We'll use a browser quirk that delays the rendering of images".

Watching the timing differences enables the attacker to derive which ports are open and which aren't, and build upon that.

There's also another variant out there what makes use of CSS (code that's commonly used by websites to layout their user interfaces).

Time to consider a text only web browser such as Lynx perhaps .....