The malicious script could overwrite the value of document.myform.field with an object containing a value property. The alert could be thus made to display a message that looked like a different error message, such as:
Error in authentication. Please go to www.phisherman.com and enter your user name and password.
If you are linking to no such untrustworthy scripts, then no, this is not vulnerable to DOM-based XSS. form.field.value contains a string. It is not evaluated as script, escape characters have no effect, the string contained in the textbox will be displayed in the alert window. Nothing a user enters in that field could be used to harm your servers or corrupt your data based on the code you've posted.
If you are linking to scripts from untrustworthy sources, you have much greater security concerns than the above.
The only way this could be a potential threat is if you are including scripts that are not under your control from an untrustworthy source.
thanks for the answer! (no the auditor is not worried about harm to servers, he just pointed out that this may be unsafe for the users or something like that). Anyway, I guess it's non-issue!