Tor Browser Bundle ships with NoScript (which can disable JavaScript), but NoScript’s functionality is disabled. This means that by default in the Tor Browser Bundle, all JavaScript code is allowed to execute – including potentially adversarial code.
What was the rationale behind this decision?
As so often in anonymity, it boils down to a tradeoff between security and usability. JavaScript certainly doesn't have an excellent track record from a security point of view and disabling it will save you from a bunch of nasty attacks. But whether we like it or not, it's a crucial usability part of today's Internet. Disabling it in the Tor Browser Bundle would break an enormous amount of web sites. To make matters worse, a large fraction of Tor's users are no computer experts. They would likely be confused by all these broken web sites and end up not using Tor anymore.
To spin the thought further, less usability means less users which means a smaller anonymity set and less user diversity. After a disabled JavaScript would have chased away the less technically savvy users, the network might end up being composed of geeks who don't mind having no JavaScript. There goes the user diversity and also some anonymity.
The current tradeoff seems sane. While JavaScript is enabled and makes web sites look nice, the NoScript extension (while allowing JavaScript) and a set of other TorBrowser patches takes care of a number of other attacks.
The Tor Browser Bundle ships with Javascript enabled because disabling Javascript disrupts the user experience and even usability of such a significant portion of the internet.
That being said, you should disable Javascript unless you absolutely need it to access a specific site! See also the FAQ entry: Why is NoScript configured to allow JavaScript by default in the Tor Browser Bundle? Isn't that unsafe?
