Holes in JavaScript or do you mean Java? Because there is a difference, although I'm thinking you mean Java.. There's been lots of notifications/articles/reports about Java flaws, (with version 7 I believe?) but I don't think you mean JavaScript here...
Java has lots of security flaws, but it is not the same as JavaScript. There's also a feature to turn off JavaScript in Firefox and IE I believe, which isn't a bad thing. Certain sites (from programmers that do not know what they are doing), have certain flaws that give way to XSS cross site scripting attacks. And this is basically the same as you being your own girl guide for your own "cookies", and sending them to someone else, but for free... Simple to avoid, but yet so many sites still don't know what to do to protect against it.