After further investigation it does look like the bug is not
in JScript/VBScript. That's good news because patching those components would be difficult if not impossible.
There are many ways for .NET code to interface with COM components. To manipulate script objects, ClearScript originally used .NET's dynamic infrastructure, but over time several bugs were found, so we changed some of the code paths to leverage
(for lack of a better term). This fixed the bugs but apparently introduced the interface leak you've discovered.
In our investigation we found that going back to using the dynamic infrastructure fixes the interface leak but reintroduces the old bugs. So no, we don't have a quick fix, but we're still investigating, and there are lots of potential solutions to explore.