XSS or cross-site scripting is a "popular" type of security hole among "old-school" hackers that's also one of the most common vulnerabilities out there as well. The most popular websites on the Worldwide Web continue to suffer from this weakness in one form or another, even in light of all the encryption advancements and advanced safety measures being implemented to ensure the security of any given page. XSS is a favorite among hackers to exploit; it can even be called a "classic" in the realm of IT security problems, which means it is right up there with spam and viruses as the oldest of security flaws around.
Common XSS Vulnerabilities
The malware can be executed on any browser to boot. Hackers have made it a sport to find website XSS, whether they're black hat, white hat, or gray hat hackers. It's just your luck if a black hat hacker had found your vulnerability and he has set his sights on your exposed site to "teach you a lesson" or to simply entertain himself. He might even use XSS to take control of your financial accounts if you're incidentally an online banking site or financial institution. Cookie stealing for the sake of causing session hijacking is the most popular application of XSS.
As soon as your browser history and cookies are accessed with full read/write privileges by a hacker, he'll be free to execute his malware on your site with extreme prejudice. As for hunting down for XSS, you should hope to the high heavens that it's a security team or a white hat hacker who found your XSS first before the black hat. If a website is coded in such a way that sanitizing or filtering user input properly is beyond the scope of its capabilities, then it's a definite candidate for possible XSS vulnerabilities, since it's usually executed as a kind of user input. User input in this context can come in the form of profile forms, login forms, search forms, and so forth.