I have yet to see an example of pure JavaScript code that can read an end-user's IP address. Any code I've seen returns either "localhost" or "127.0.0.1 <http://127.0.0.1>".
That's kind of the conclusion I've reached, though I'm far from an expert.
So, if it can't read the IP, why is it a security risk? Because of cookies?
http://www.anonequity.org/weblog/archives/2006/03/escaping_your_h_1.php
-James