You're both right. Blame them all!

I agree, webmasters/designers/spammers deserve it. When HTML5 was still evolving, programming language experts (including Brendan Eich himself) had proposed changes that would've made Javascript a proper language with compile-time security. Bigshot web designers threw a Twitter tantrum because they would've had to dump their beloved monkey-patching frameworks and learn new things like... class-based OO (cry me a river!)

Who had more Twitter followers? The ones with the Twitter-Blogger-SEO-analytics-spam circlejerk network. Thanks to them, Javascript remains an amorphous, ambiguous, dynamic runtime environment without proper walls between PII, content, ads, trackers, malware, etc.

