The 'httpOnly' flag is a good security mechanism to prevent Javascript from reading cookies. However, the cookie mentioned cannot have this flag set. The JFBConnect Javascript functions use that cookie to determine what permissions the user has currently granted and that information is needed *when the Javascript login* functionality is enabled.
If an XSS issue were to occur on your site and the malicious party did read that cookie, I'm not sure what value it would have. It would simply inform the bad actor if the current user was logged in via Facebook and what permissions they had granted. There's no direct method to use that information for bad purposes, but more security is usually better.
There are many, many cookies usually generated on every site that do not have the httpOnly flag because it does restrict a lot of code functionality. As long as those cookies can't be used for 'evil' purposes, that's ok.
However, if you want to disable that cookie from being generated, you can set the "Show Login Credentials in Pop-up" setting in the Providers -> Facebook area to 'No'. That will redirect the user to Facebook.com for authentication instead of using the Javascript login mechanism.
The above will prevent the cookie being set and rid yourself of the pentest message. There should be no compatibility issues using the server redirect login method either.
I hope that helps, but if you need anything else, just let me know.
Thanks,
Alex