2016/sw_scm_files_accessible.nasl looks for files on web servers that should not be available. In its table of targets to search for, it has this entry:
"/.hg/branch", "^default",
Unfortunately, when it scans a particular NAS, it finds this javascript snippet in the resulting 404 page:
case 'create_raid':
$('#raid_create_btn').click();
break;
default:
break;
This results in a false positive.
Thanks for your report.
The mentioned VT should already check for a 200 response to avoid false reports on 404 and similar status codes (check_header:TRUE in the called http_vuln_check function). Could it be possible that this response is 200 and not 404 as assumed?
Nevertheless from the above the ^default is indeed a little bit too loose so this will be updated to use a line ending anchor $ to make it more strict.
Those changes should end up in the feed in the next few days.