It doesn't matter how much functionality the JS was originally responsible for, it could've been as little as updating a clock, validating forms, or just some silly animation. Once that JS executes in your browser it has access to your cookies and local storage, which means it can trigger whichever server-side actions it wants.
My second comment is not unrelated. The root cause of this mess is the fact that JS can be edited by privileged users without an approval process. If every change to the JS code required the user to enter their 2FA code (TOTP, let's say) then there would be no way for the worm to spread whenever users visited a page.
I’m referring to the use of JavaScript in general in the building of web apps themselves. My comment is the same about 2FA.
I’m making these comments from the general perspective because I see it as a security risk when front end scriptability and app logic are more available than say server side apps.
Hope that clarifies my comments.