I remember "prototype pollution" as the annoying result of monkeypatching a la prototype.js way back when. But this article presents prototype pollution as a security issue.<p>If an attacker can perform "prototype pollution", aren't they already injecting arbitrary JavaScript into the page? If they already have script injection, why would they choose "prototype pollution" over anything else they could do with arbitrary code?