Topic: CSRF attack / XSS at login

question, how bad is this attack? a malicious javascript alert showed up in anti-virus for the login page, is there a lot of information that could have compromised? should all users be notified to change their passwords? thanks