It's kind of an odd thing, because in the name of security, JavaScript tends
to be a somewhat castrated language, at least when it's loaded on the request
of a web page. You have all these settings in a browser for what it can and
cannot do, and JavaScript's ability is usually crippled by default. Then you
have NoScript, which blocks even more of JavaScript's ability to do what it
wants. However, it's still a programming language, and you simply can't
design a decent programming language that makes all malicious functionality
impossible.
One basic example of malicious use of JavaScript code is fingerprinting, and
this is quite common. For instance, HTML5 introduced the canvas element,
allowing JavaScript to be used to draw things, a useful thing for games. But
by taking advantage of slight differences in the way browsers handle this,
it's possible to retrieve canvas data and use it to uniquely identify you.
This is one particular thing that Web browser developers (but especially the
Tor Project) have been trying to crack down on, but it's a difficult, ongoing
battle.
I'm sure there are other examples of malicious functionality observed in
JavaScript programs, but I can't think of any right now.