I read many things on js. As far as I understand most browser exploits use
javascript and can not do anything if js is disabled. If your installation
ill get pwned it will be most probably through your Browser and specifically
through some js attack. I keep it disabled all the time and allow it on just
one site (I have had this "just one site js allowed policy" for a long time
now). Javascript is just like Agobbo flash player in this regard: a huge
attack vector.
http://www.codeproject.com/Articles/134024/HTML-and-JavaScript-Injection
https://community.rapid7.com/community/metasploit/blog/2011/07/08/jsobfu
http://www.agoradrugs.com/tag/javascript-exploit/
http://www.majorgeeks.com/news/story/fbi_breaches_tor_browser_via_zero_day_exploit_in_firefox_17.html
https://noscript.net/features
cheers
