Javascript – Is the contamination by prototypes only usable in the backend?

I received a jira when I asked for a security scan to update Lodash for CVE-2019-10744. This is a prototype of soiling. After reading this excellent paper on prototype pollution, it seems to me that this is only a problem when running JavaScript in the backend.

Does it make sense to depriorise this particular vulnerability class because we only use JavaScript on the client side? Or can this be used as a vector on the client side for other kinds of attacks like xss? Is there a reliable way to determine which types of JavaScript vulnerabilities are problematic in the front-end and back-end areas?

Web Application – Does HTML Purifier (which & converts to &) prevent HTTP parameter contamination?

If a REST endpoint (http://example.com) the p Querying parameters and passing them to another endpoint:

http_get ("http://example.com/api2?p=". $ _ GET['p']); 

I will be able to exploit it by attaching content later p: http://example.com?p=a%26admin=true, making a request to http://example.com/api2?p=a&admin=true (% 26 is decoded & from the server), which leads to an exploit if the / api2 Endpoint reads the Administrator Parameter.

But if I use HTML Purifier $ _GET['p']will convert it & in &Amp;which will break the attack if api2 is not reading amp; Admin (unlikely in practice).

Does that mean the escape of & in &Amp; will effectively prevent the exploit? Why are we warned on this page? & amp; HPP_TEST then?