JS dramatically increases the attack surface. It allows browser fingerprinting, user fingerprinting (behavioral biometrics) and exploitation of vulnerabilities in JS engine and API design. It must be disabled by default for all untrusted addresses: the ones from the Web and files. Use NoScript for this.
- Related to #9700