The fear is that, while the current exploits are annoying but not especially dangerous, the same method of triggering Javascript code could be used for more nefarious purposes.