Yes, the original CSRF attack using a plain html form does not even require JavaScript. CORS does not address this scenario.

But cross-domain post is only allowed if the payload is form data encoded. A Json payload from JavaScript would be blocked by default, as would other methods beyond get and post. Therefore you usually don’t have to worry about CSRF for a JavaScript API.

CORS is a a way to enable cross-domain calls from JavaScript without introducing the CSRF issue.