Maybe I'm missing something but the first word that comes to mind is "exploit"...

It should require explicit user confirmation to connect, but yes, there's a risk, e.g. if a user is tricked.

https://www.yubico.com/support/security-advisories/ysa-2018-...

I was also wondering about possibility of infecting USB key using web app

Ah -- I hadn't thought of the infection swinging both directions, but if the API is there that's a possibility:

function onUsbConnect( if (exploitPossible) { do_evil_to_usb(); } );