I didn't test back this far; I should have, it's about 10% of android users. I tested back to 4.0 (not that 4.0-4.1.2 being vulnerable matters much, since you can get remote code execution easily through the addJavascriptInterface vulnerability). I tried out 2.1 in the emulator just now and got the same results as you, so it looks like 2.x is not affected by this.

I tried it myself also a few minutes ago, on an old Droid Eris/HTC Hero (IIRC) running CM7, Android 2.3.2. It does do an odd double-loading thing, but it doesn't show the alert.

Also, damn this thing is slow and tiny compared to my current phone.

Tried again with a Galaxy Nexus on 4.3. Sure enough, it duplicates fine on the stock browser, and works correctly in Chrome.

I would think this means you are not vulnerable. The js begins with a null byte and works on a lot of different versions.

I think the vuln probably just had not been introduced at that time, but I obviously can't be certain without digging through the git log (and even then...all I can do is corroborate commits with release dates).