Cross Site Scripting (or XSS) is one of the most common application-layer web attacks. Attackers can steal the session ID of a valid user using XSS. The session ID is very valuable because it is the secret token that the user presents after login as proof of identity until logout. The attackers can then use the valid session ID to browse the site without logging in. The script could also collect other information from the page, including the entire contents of the page.
Source: https://thehackernews.com/2011/11/myopenid-xss-one-of-largest-openid.html