Today’s web applications feature the proliferation of third-party JavaScript inclusion, which incurs a range of security risks. Although attack strategies by manipulating third-party JavaScript files have been widely investigated, the adverse impact caused by third-party JavaScript inclusion and caching does not receive much attention. Specifically, when a malicious script is cached, it can revive and bite every time when a user visits any website that includes it, leading to a much worse effect of the attack. In this paper, we present the first comprehensive study on Alexa top one million websites to investigate how likely thirdparty JavaScript inclusion and caching can make an attack largescale and long-lasting, and further to uncover insecure practices that carelessly or inadvertently exacerbate the attack impact. We also discuss potential solutions to improve current practices to minimize the security risk associated with third-party JavaScript inclusion and caching.