I see this as eventually being pretty bad. Sure, the proof of concept is pretty tame and forces you to enter a start and end IP address and hit the “scan” button. Malevolent versions of the same could easily scan automatically and interact with the target (possibly changing settings on routers it knows how to talk to–for instance issuing a POST/GET request emulating a form on a particular administrative page, telling it to change the DMZ, read the password, disable encryption, etc.) The whole thing could even be bundled as the payload of other cross-site-scripting attacks.
Unfortunately, the easy fix for this would end up breaking the vast majority of websites out there.