The code presented is not malicious per se, but I like to point out that
their problem also was how to change to api version with javascript.
This is kicking security problems because it should be done through server-side programming,
(but this will be a difficult task with hoster providing support for 437 sites on one and the same IP - i.m.o.- pol)
else it will be rather difficult or impossible to perform securely.
Info credits for above explanation should all go to Twitter’s Taylor Singletary.

polonus