But to make this attack work, browsers would have to visit this site before the new owner takes it over, in order to receive and cache the malicious JS. And if you can make people receive malicious JS, you've already got your attack vector - immutable caching isn't needed.
if you can make people receive malicious JS, you've already got your attack vector
No, because a malicious JS file by itself can't do much. The attack vector is the malicious JS running on the new site, with permissions to steal session cookies and interact with the application. That's why caching without verification is important: to make sure the browser uses the cached malicious JS instead of fetching the new one.
