The so called 'vulnerability' only occurs if the data-target value relies on data injected by something external (directly or indirectly) AND is shown on a page where other users than the attacker are affected.

In other words this is NOT an issue if all your data-target attributes are made of hardcoded html text. It is also generally not an issue if this page is only seen by the attacker (self-hack ...).

For example you could also say jQuery .html() is a vulnerability, which is a more obvious case, but still vulnerable to XSS if you are a total web beginner or just did not pay attention.

So in general, avoid injecting unescaped user data in third-party: popups, tooltips, ... or anything where DOM is directly manipulated behind the scenes.

I personally do not consider this a big vulnerability, but it is nicer if a famous framework like bootstrap handles this case or explicitely names the method as unsafe to warn developers.

Chrome audit considers bootstrap 3.3.x a vulnerability (via synk):

Includes front-end JavaScript libraries with known security vulnerabilities

• Is Bootstrap 3.3.7 safe and secured if "data-target" attribute is unused?
• https://news.ycombinator.com/item?id=14989841