Generated by Math.random()? (According to MDN, that's seeded from the current time...)
Update: Another problem is that there is no message authentication. The server can flip individual bits within the message.
Update: Also, obviously, we have to trust noplaintext.com to send us an uncompromised web page.
But wait! View source!
We also have to trust Google, specifically google-analytics.com not to steal the message.
We also have to trust whoever controls the crypto-js project and the people running googlecode.com.
And every router between them and googlecode.com (or whatever that resolves to in their DNS situation!)