Going through a bunch of JavaScript I do not trust and it has a ton of web address comments like citations but likely some bad stuff in there too. What could be swapped with the address to instead act as a local tripwire or trap?
Just a mild curiosity for scripting stuff.
I’m not really understanding what it is you are concerned about.
If it’s that the Javascript might be malicious, then a browser should be able to sandbox it. IIRC — and you probably want to confirm this, if you’re actively concerned — the Firefox security model is that if you open a file locally, it has local access, but if you open it from a webserver, it doesn’t. Like, Javascript running in your browser downloaded from a web server shouldn’t have local filesystem access.
If you want to examine some code, but don’t want the code to phone home in some way, I’d remember that at least DNS is probably also a potential side channel. I’d maybe run the stuff in a VM without network access, if I were concerned about that.