WebRTC is only one of several ways that LAN IP addresses can be discovered.
There was a nice Black Hat 2012 talk on this topic, called Blended Threats and JavaScript: A Plan For Permanent Network Compromise, in which Phil Purviance and Josh Brashars presented an automated method to find and wipe your home wifi router with a single click on a website.
This predated WebRTC, so they had to discover your router's IP address in another way. This can be done with JavaScript scanners like jslanscanner, JSScan, JS-Recon, but a simple (yet large) collection of embedded objects that merely guess at the router's address (e.g. by embedding an expected router image and noting when it successfully loads). Once you've got the address, you can guess the password (starting with the expected default) using RouterPasswords.com or even bypassing authentication via Routerpwn.com.
As a proof of concept, their demonstration discovered the router IP, looked up its default password, logged in, and automatically installed replacement firmware (DD-WRT). A real attack could have any number of malicious capabilities on the new firmware and could easily make it appear to be the unmodified original router system.
(Admittedly, this identifies your home wifi router's LAN IP address rather than your local LAN IP address, but it's pretty close and arguably more alarming.)