MDN documentation says:
Never use eval()!
eval() suffers from multiple problems:
eval()executes the code it's passed with the privileges of the caller. If you run
eval()with a string that could be affected by a malicious party, you may end up running malicious code on the user's machine with the permissions of your webpage / extension. More importantly, allowing third-party code to access the scope in which
eval()was invoked (if it's a direct eval) can lead to possible attacks that reads or changes local variables.
eval()will force the browser to do long expensive variable name lookups to figure out where the variable exists in the machine code and set its value. Additionally, new things can be introduced to that variable through
eval(), such as changing the type of that variable, forcing the browser to re-evaluate all of the generated machine code to compensate.
- Minifiers give up on any minification if the scope is transitively depended on by
eval(), because otherwise
eval()cannot read the correct variable at runtime.