Big security problems and opens the way for an XSS attack that in most cases can’t be stopped. Also if you don’t have a blacklist for rejected tokens or the blacklist gets leaked your application will get crashed.
All your data will be owned by the hacker(deleting stealing your data or manipulating it).
Summary: Always use session cookies unless your are not on a browser(mobile), but even then still use cookie based session, because they are much more secure.
Some information can be found here from a security expert at okta @rdegges
