Suppose that my application has an access token to some facebook user. Is there a security risk in exposing this access token in JS Code to some other users which visit my site? If so, what can they do with it?

You are at risk of

1. Confused deputy -- your code is granting privileges to code that might abuse those privileges either intentionally or by acting on behalf of yet more code that is malicious.
2. Theft via code injection (XSS) -- the credentials could be stolen by code injected into your page via an XSS vulnerability and then used to act on the user's behalf, possibly generating logs which indict you as the culprit.
3. Theft via eavesdropping -- if there is non-HTTPS content going across the connection between the browser and your server, then an eavesdropper with the ability to read packets could steal the credentials.
4. Theft by malware -- if there is malware running on the user's computer, then sending those credentials to the browser exposes them to that malware. The malware would probably have to read memory owned by the browser process or cache files written by the browser.

A Facebook access token gives the same rights your app has to a particular user to anyone that has access to the token. So, if your app acquires the rights to do actions A, B, and C and is issued a token to that effect, any other app that would be able to obtain the token would have the same rights to that user (until the token expires).

So, yes, there is risk. You need to protect the token from access to anyone/anything that should not have the same rights to the Facebook user as your app does.

That access token can be used anywhere by anyone to do anything that the access token has permissions to do. Which is what makes it powerful, right?

So, exposing the access_token in javascript really depends on where that javascript is being run from, and over what type of network that access token is being sent.

If things are over https, then you should have no worries if the device the javascript is running on is otherwise secure (say a personal cell phone's browser with a screen lock).

If the device is say a commonly shared internet terminal, even with https, where everyone uses the same user account, then if a crook snooped thru history files on the browser and pull out that access token. Bad bad bad.

If communicating over http, then it's wide open to the whole world to see. Bad bad bad.

So since you haven't given us any of this information on what the environment is, it's quite a vague questions. So my bottom line is going to be not so vague. Don't do it! Just let Facebook's Javascript SDK handle the access_token for you.

Disclosing Security Token can make your users vulnerable of getting hack

I remember a software "FaceNiff" that runs on rooted Android phone, It sniffs security token of facebook and other websites and you can login in wih any user's account who is connected to that WIFI.

There was a security flaw in another Android software that let hackers sniff your gmail calender security token and can gain full access.

Read this post http://www.techlicious.com/blog/android-security-flaw-could-expose-you-to-data-theft/