Yes, if the page is vulnerable to XSS (Cross-Site Scripting), an attacker could run their own script and steal the password stored in the JavaScript variable. Even though it’s not saved in cookies, the password still stays in memory and can be accessed through JavaScript if the attacker injects code into the page. CSRF wouldn’t work here, but XSS could. To stay safe, avoid keeping passwords in variables and always sanitize any data shown on the page.