I made my own de-obfuscation, removed a bunch of redundant code.
Note that even though in the original,
m is a nested list, I've changed it so that it can just be a list of indices. Throughout my testing I was assuming that
trailer_and_sum_cipher was that list.
I tested a bunch of things for the alphabet, including that base64 string, some generic 0-9a-z alphabets such as the base64 and base128 alphabet, ASCII mappings, those SHA256 sums, all of it forwards and backwards and if the string was shorter than 74, with and without duplicating it (JS, being JS, just silently fails if the string index falls out of range).
The function that gets a cookie isn't used anywhere in the code, and the only cookie that gets stored is the session cookie, which I've also tried as the alphabet (who knows if it's fake and the value is the same for everyone). Didn't work.
The fact that the .js file just contains the "Cipher needed" warning and the fact that the congratulation message is supposed to be printed made me think that, perhaps, it's all generated by the backend, and some other action needs to be done for the script to work properly. However, by browsing the server files (thanks Apache), it seems that the JS script is stored just like that.
The name "trailer_and_sum_cipher" is probably supposed to be a clue, and it might have to do something with SHA256 "sums". There's also a possibility that "JS holds the key" isn't related to this cipher at all, and is part of a completely another deciphering task. Who knows. Those are my thoughts so far but I have no answers. GL to those who are still trying to solve this.