Of course Facebook's JS won't add itself to websites, so half of the blame goes to webmasters willingly sending malware to browsers.