bootstrap.js is vulnerable to cross-site scripting (XSS).  The data-target attribute in bootstrap.js interprets encoded HTML entities as standard HTML entities, allowing an attacker to craft input containing malicious JavaScript and injecting it into the data-target attribute, resulting in cross site scripting.

The following CVEs are related to specific XSS vulnerabilities that are addressed in version 4.1.2:

CVE-20180-14042
CVE-2018-20676
CVE-2018-20677

There is no completely non-vulnerable version of bootstrap.js.  Alternatives should be investigated.