The Implicit Flow was originally designed for native or single-page apps that cannot securely store Client Credentials.
Here, the User Agent is redirected to the Authorization Server and after performing authentication and consent, the Authorization server directly returns the Access Token.
This can be compromised through vulnerablities like XSS or redirect_uri validation flaw.
