Strange one, a pc in a inside private lan runs http://www.whatismyip.com and the reply indicates both the private ip addr and the natted public address???
Surely the nat on the ASA should have no remnence of the private address passed onto the internet???
There is nothing wrong with the NAT in your firewall.
As you have suspected, it is very easy to grab the private ip address of the client running the browser to access a public internet server, by running some active scripts.
These scripts will be executed locally in the client browser and they will be able to get the private ip address and pass it back to the server.
You can disable scripting ( java/vbscript) option in your browser, which will prevent this from happening.
Have a look at this URL for more info.