Understanding ClickJacking Vulnerability

I have used Atlassian's clickjacking POC to explain.

1.  https://www.atlassian.com/company/contact page was vulnerable. The image posted below shows that i am able to load it in my localhost.

Why this is a critical issue?

Using this, an attacker can make a victim to fill up random contact forms without any knowledge of the victim. This will result in a bunch of unnecessary contact tickets for the support team who will be handling these tickets.

2.  This below link is also not X-Frame protected and hence vulnerable to clickjacking.

http://blogs.atlassian.com/

Impact :-

The victim without any idea can subscribe to the news feeds and may doubt Atlassian's integrity and security measures.

  
3. The blog posts are also not X-Frame protected for which the attacker may lure the victim to post random comments. URL :- http://blogs.atlassian.com/2013/12/building-better-robot/

*Note :- The images are hazy because the opacity is 0.5 which can be turned to 0 and then the victim won’t be able to see anything except your messages which may lure the victim to click on it.