According to a recently published report by the ENISA, the security threats in HTML5 aren't small threats.

The current specificatoins of HTML have saveral flaws, for example Cross-Origin Resource Sharing (CORS) implementation. CORS allows Web browsers to mix resources from multiple websites. It opens an attack surface on legacy servers that do not understand the corresponding requests. This enables attackers to trigger cross-domain APIs.

These CORS security risks are not new. Matt Austin, security researcher, explained in 2010 how this HTML5 feature can render old code insecure. He demonstrated how he could abuse this HTML5 feature to access Facebook profiles of people by letting them visit a specially-crafted website.

The ENISA also mentioned that the new cookie mechanism in HTML5 is different than the current cookie system. "HTML5 storage offers many advantages over ordinary cookies, and may become a more universal tracking mechanism. Like Flash cookies, HTML5 storage is more persistent than HTTP cookies."

Hopefully, the W3C working groups involved in the development of HTML5 will address these security issues as quick as possible, to make sure that Web browser developers can implement fixes of these issues, and protect their users. However, many of the affected specifications are already supported by most browsers.