Is there a way for users to turn them off?
TVJon
Go to Safari: Preferences: Security:
... and deselect "Enable Javascript".
You'll have to turn it back on to post, etc, but if you're just lurking and reading, it works fine. Also usually kills popover flash ads everywhere on "the interwebs" and a host of other popover annoyances, eg: ShareThis, etc. Don't be afraid to reload the page if necessary to enable it when needed.
I often find I've been surfing for hours before I click on something and "nothing happens" ... oh yeah, turn Javascript back on. It doesn't adversely affect browsing 90% of the time to have it disabled; in fact it's refreshing to finally surf without all the crap popping up everywhere ... eg Stereophile's "subscribe" popover, Salon's, etc.
I also use a CSS based ad-blocker which turns 90% of all web based adverting off (you just see blank marker outlines) and you can leave that on all the time. Google for it, it's not hard to find, and you can edit it to add new annoyances anytime.
Copy it somewhere to your computer (I use Users: Library: Internet Plugins, but anywhere convenient is fine) and point Safari to it at:
Safari: Preferences: Advanced: Style Sheet
Finally, install ClicktoFlash (free download) to kill all Flash based ads, as well as annoying things like websites that blast some audio on the home page when you're trying to surf and listen to music. You can always load Flash by clicking on the blank placeholder, or add a site to a whitelist to always display Flash content. When surfing away from an AC outlet, you will find your battery lasts much longer with a portable if you aren't loading every little Flash thingy on every page.
Both Adobe web technologies (Flash and PDF) are useful to deploy malware, although generally it's a Windows executable that arrives by that vector, so it does nothing on your Mac. I use a non-Adobe flash viewer that cannot take advantage of the PDF exploit for reading PDFs in the browser, but you generally have to use the genuine Adobe product if there's a form to fill out.
Sometimes downloading it and using Preview allows you to fill out forms but it depends on how the security was set by whomever built the form in Acrobat if that will work well or not. I don't even have Adobe Reader installed on the system, but if you need to do forms for work you won't be able to live long without it. If it is installed, make sure it's not the default app to open PDFs.
If you don't do forms, you don't need it on OSX as the entire GUI is based on Adobe PDF (OS9 and earlier was PostScript based) and there's always a way to view or create PDFs with the tools that come with the OS (eg Safari: File: Print: and in the window that appears, click the [PDF] button and select "Save as PDF"). You can save an entire web page or article that way, as well as any file on your Mac that will print.
Having said that, there's no reason to believe that a trojan (a file that masquerades as something else that you, presumably, will install yourself, unaware) can't be run on any OS if properly crafted. You don't have the drive-by download issue on OSX (or Firefox on Windows) but that doesn't mean to suggest there's no way to get evil running. Better safe than sorry.
You can also disable Java at the same preferences pane where you find Javascript. There is almost no need to have Java enabled when surfing, and it's a huge security hole on any browser or platform. Occasionally you might have to turn it on and reload the page; eg doing a "speed test" for your net connection. But there's no need to have it on all the time.
Note that Java and Javascript are two completely different, completely unrelated things. Many people confuse one for the other, but they are so different it's not even funny; the similarity in naming is a very unfortunate circumstance due to the confusion it normally causes.
I'm not going to provide any links out of respect for the site and it's revenue model. If you can't find this stuff yourself ... well ... them's the breaks.