My company has been developing a site for a very large company. The site is now live, and it has received its fair share of hits. The site relies enough on JavaScript to make far less aesthetically pleasing to navigate, especially in older browsers. Their site is accessed by an amusing amount of 'security enthusiasts' who have, by default, disabled JavaScript in their browsers (the site targets accountants, and ironically, a large portion of these viewers' browsers reported severely outdated releases of ie as their useragent).
This means that several purely aesthetic portions of the site have to be hidden by default using noscript tags. In the largest of which, I would like to display a text block that explains the safety of having JavaScript enabled as of 2014. So far, I've come up with the following:
A message from the developer: We've noticed you've got JavaScript turned off. Modern websites are justifiably dependent on JavaScript, and in our opinion, as long as you keep your computer up-to-date with the latest security patches, use a modern operating system, anti-virus, browser and JavaScript interpreter, there's not much point in disabling a valuable browser feature such as JavaScript in the first place.
The thing is - I don't know how accurate I am in saying this. I would like to be as simplistic as possible in explaining this. I've read about things such as the recent NSA exploitation of JavaScript to determine the identity of TOR users, and I honestly can't understand why threats such as this should be an issue for the general public.
As far as my understanding goes, disabling JavaScript is a very serious security precaution - probably too strict for the general user. I don't have a particularly thorough understanding of the way JavaScript works, but it's my understanding that JavaScript runs in a sandbox environment, and can't easily be used to exploit files on a user's machine.
My question is this - just how secure is it for a viewer to have JavaScript enabled? I'm not concerned about SEO agents not being able to see JavaScript defined content. I'm specific in asking the dangers it poses to the general user beyond those of browsing the web in the first place.
I'd also like some help in wording a convincing paragraph on this. As a HTML5 and CSS developer, I consider JavaScript an invaluable asset for cross-compatibility and general functionality, and viewers with JavaScript disabled seems to cause an entire world of trouble and excess work for my team.