What can happen?
The attacker is able to execute anything in the visitor’s browser under your domain. In that aspect this is similar to XSS.
The attacker can take advantage of the site’s traffic to infect the visits using browser exploits. Malware can could also be used to keep any activity happening on the web site under surveillance, including login credentials, credit card data, or any other sensitive data.
Everything points to the possibility of there being more attacks like this in the future and there are no signs of this type of attack being in decline.
The first step is to delete the file, but understanding how it got there in the first place is equally important. If you are not able to identify how your website was hacked and protect it against this type of attack, chances are it will soon happen again.
Even if the hole the attackers first came in through is discovered and fixed, a backdoor could still remain. If possible, reset the system with a backup done before the attack happened or let someone more experienced in the field take a look at it.