Hole 196 can likely be taken advantage of in a few ways. JS is probably not one of them. Also, the exploit likely depends on what kinda modems/routers/networks you're dealing with. I'll also add this on:
"There's nothing in the standard to upgrade to in order to patch or fix the hole," says Kaustubh Phanse, AirTight's wireless architect who describes Hole 196 as a "zero-day vulnerability that creates a window of opportunity" for exploitation.