|A site with JS disabled||The same site with JS enabled|
and with JS disabled, a lot of features disappear (can you spot the 7 differences?):
The main culprit is AJAX, which is like: "the best friend and the worst foe". Indeed, each time you edit a page, protect a page, delete a page, block a user, unblock a user... you call AJAX. These AJAX requests are sent to the Wikia API, which is the intermediate between you and Wikia database containing wikias' information. And this API often needs only one thing, the gold nugget: a token and mainly the edit token. But what is the edit token? The edit token is a sequence of digits and letters of about 25 characters ending with "+/" and is mandatory to edit any Wikia content — ultimately, edit in Wikia's database. This token identifies you, this is why when you edit, your name appears, because the sent token is yours and Wikia API recognizes you.
If a JS script could take this token, it could make edits for you, and this is perfectly what happened when you use for example , or — the script gets your edit token or any needed token and makes edits for you, deletes pages, blocks an user, protects pages, rollbacks edits (it's not the edit token in this case though). These scripts are not malicious but they can be. Imagine for example that WHAM deletes all the pages in your wikia, or remove pages contents in an other wikia, that would definitely block you on this wikia, unblock all vandals of your wikia, block you and remove your sysop and/or bureaucrat rights and redirect you to a malicious site and can do it for everyone on your wikia, including all the admins and all the contributors. Very very very bad luck. But this can be even worse...
Do not forget:
You are a significant wall against malicious attacks. Whichever software, how good it can be, cannot replace your care. You have the intelligence, softwares and computers don't.