[pushedx]

Two of the worst things about JS that come to mind in terms of security:

Every number is in 64-bit floating point. So if you want to do any number-theory-based crypto (Elliptic Curve) or you have do deal with numbers bigger than (2^48) you either have to study IEEE 754 very carefully (and likely push to production a series of mistakes), or take the hit of using an integer math library that has worked out how to do proper integer math with the 48-bit mantissa of a 64-bit float.

Of course there are those who don't realize this at all, and try to do integer math in JS, or in the case of a beginning programmer (many students start with JS these days), they don't realize that 0.1 + 0.2 == 0.30000000000000004.

Every variable is global by default. The best way to hide data in JS is within a function closure. However, one forgotten var keyword, and your whole encapsulation model is trashed.