CSS-in-JS is an exciting new technology that completely eliminates the need for CSS class names. It makes it possible to add styles directly to your components, using the full power of CSS. Unfortunately, it also promotes interpolation of unescaped props into that CSS, opening you up to injection attacks.
And CSS injection attacks are a major security hazard.
CSS-in-JS tools are like eval for CSS. They’ll take any input and evaluate it as CSS.
You can read more about attacks like this one at Reading Data via CSS Injection.
React supports IE9, and will for the foreseeable future.