Person A wants to access page X and knows the password: the .js is called and cached in his computer, ok
Person B wants to access the same page X but it doesn't knows the password: The .js is never requested and consequently not cached in his computer
if person B looks at person A computer, he can discover the password or at least page X name
so the limitation of the script is that it's not very secure (like all client-side solutions) in a network or a public environment, where more than a person can access the same computer.
But as a individual user, it doesn't seems very probable that person A allows person B to use his computer to steal the code