DSHIELD has a published a writup about some of the places that JavaScript can exist called Javascript hiding everywhere. Some of those places include

- Quicktime
- Flash
- PDF Files
- MP3's

"Frequent readers will know that we often recommend to ease up on allowing scripting as it's used by the bad guys. XSS bugs are basically so bad, not for the example <sc ript>alert()'XSS'*</sc ript> (spaces added for the overly paranoid web content filters) you might see, but for much nastier things starting with capturing your cookies (read credentials, session keys etc.). Keyloggers aren't impossible either and making you unknowingly upload files  from your hard disk to malicious websites etc. is all quite possible in javascript.

And if you supposed it stops in your browser seeing javascript in HTML pages themselves, think again:"

Article Link: http://jeremiahgrossman.blogspot.com/2007/03/big-trouble-if-pci-dss-requires-csrf.html