It can be used to view or steal personal data without you even realizing that it’s happening.
JS itself isn’t a virus building language nor does it have access to the system. It’s isolated in the browser. However, JS can be used to redirect you to a malicious site or embed an iframe that displays the malicious site. But JS isn’t the language that carries out the attack, it just aids the attack.