I have yet to see an example of pure _javascript_ code that can read an end-user's IP address. Any code I've seen returns either "localhost" or
"127.0.0.1".
That's kind of the conclusion I've reached, though I'm far from an expert.
So, if it can't read the IP, why is it a security risk? Because of cookies?