bootstrap is an sleek, intuitive, and powerful front-end framework for faster and easier web development.
Affected versions of this package are vulnerable to Cross-Site Scripting (XSS) attacks via the data-target attribute.
These attacks are possible by escaping the context of the web application and injecting malicious scripts in an otherwise trusted website. These scripts can introduce additional attributes (say, a "new" option in a dropdown list or a new link to a malicious site) and can potentially execute code on the clients side, unbeknown to the victim. This occurs when characters like <>"' are not escaped properly.
There are a few types of XSS:
Persistent XSS is an attack in which the malicious code persists into the web app’s database.
Reflected XSS is an which the website echoes back a portion of the request. The attacker needs to trick the user into clicking a malicious link (for instance through a phishing email or malicious JS on another page), which triggers the XSS attack.
The vulnerability has been fixed in versions 3.4.0 and 4.0.0-beta.2 but these versions haven't been released to npm as of Jan 19th, 2018.