This was already proposed and got rejected because of cache poisoning issues.
IF you're able to create a hash collision and IF you're able to deliver (for example) jquery first, your malicious version would be cached and injected into every page that uses the targeted jquery version and makes use of this feature.
This isn't simple, but still an attack vector with huge impact, if successful.
Also:
* If you keep the file forever, you've poisoned this hash forever. If you clear it sometimes, there's a short time window in which you can insert your malicious version.
* If you target an old version of jquery, you're increasing the chance the browser hasn't seen this file yet or forgot about it, to mitigate the poison-forever issue.
If this was even a remotely feasible problem with modern cryptographic hashes, DNSSEC, TLS, SSH, package management systems, most authentication systems, etc. would all be dramatically broken.
If I had this capability I wouldn't waste it on injecting javascript into web pages. I'd create forged browser upgrades and go from there.
Every website using jquery will have the real hash, so you can poison all the mirrors you like and it won't matter.
The only way to get the wrong hash onto sites is to actually publish it on the authoritative server. That's not cache poisoning, that's a malicious official version.
If people start making hash collisions with modern quality hashes, many programs are in serious trouble. Git and Mercurial for a start assume the non-existence of hash collisions.
IF you're able to create a hash collision and IF you're able to deliver (for example) jquery first, your malicious version would be cached and injected into every page that uses the targeted jquery version and makes use of this feature.
This isn't simple, but still an attack vector with huge impact, if successful.
Also:
* If you keep the file forever, you've poisoned this hash forever. If you clear it sometimes, there's a short time window in which you can insert your malicious version.
* If you target an old version of jquery, you're increasing the chance the browser hasn't seen this file yet or forgot about it, to mitigate the poison-forever issue.