Its a cross site scripting (XSS) exploit.
Web pages are written in HTML. In the user profile page there will be a part of the HTML that is written by Valve and parts that are user-generated content, such as the user name, profile descriptions, name of friends, etc.
They thing is that when Steam is generating the webpage it must take special care so that the user generated content does not contain any special HTML characters. For example, suppose that the generated webpage ends up looking like:
<h1>smog_alado's profile</h1>
What happens if I insert "<"s in my username? If they are not careful and just copy-paste the user generated content in the HTML they will effectively be letting me insert special HTML on the page:
<h1>smog <img srg="example.com">'s profile</h1>
Why is this dangerous? Well, one of the special tags in HTML is the <script> tag. Instead of just serving to add styling to the page, script tags run code and can simulate clicks on any button or form that is visible on the page or make requests to the steam API under your credentials (if you are logged in). In effect, the XSS exploit lets the malicious user run code in the webpage with the same privileges valve themselves have.
And how do you prevent these problems? Basically, every user-geenrated text in an HTML page must have the special characters escaped. < becomes <, > becomes > and so on. Its a bit similar to how you use \ to prevent markdown formatting in reddit comments.
As for this being an "stored xss" exploit, it means that the malicious user-generated content is something persistent that is stored on Valve's servers (like user names or comments are), meaning that the XSS exploit will be shown to every user that visits the vulnerable page.
The safe thing to do is to simply not visit the vulnerable steam profile pages until they fix it. Not logging in should also prevent them from taking advantage of you but sill still let them attempt to run code on your machine. Better be safe than sorry and don't allow that in the first place...