When setting a cookie the API accepts an attribute value that contains a semicolon, and it does not give any error. If the attribute value is coming from an intrusted source it can lead to injection of new attributes than the intended one.

Example: path = '/numbers;domain=.iana.org'
Cookies('nameofcookie', 'cookievalue', {path: '/numbers;domain=.iana.org'})

Reproduce;

location='https://www.iana.org/protocols'
$.getScript('https://cdn.jsdelivr.net/npm/js-cookie@2/src/js.cookie.min.js')
Cookies('nameofcookie', 'cookievalue', {path: '/numbers;domain=.iana.org'})
console.log(document.cookie)

Output: [EMPTY]

location='/numbers'
console.log(document.cookie)

Output: nameofcookie=cookievalue

I think the path value cannot contain a semicolon but I am not completely sure.