It's not actually enabled be default, but it does block Flash and Java even while disabled, and Torbutton blocks certain classes of malicious, potentially deanonymizing JavaScript, I've read, though I don't know if it would block this attack.