Stealing ethereum with web3js?

If you have a UI for a project and it is hooked up to web3js are there any ways for a developer to empty user funds.

To be more specific- if you access a Dapp would it be possible for someone to steal funds through metamask?

Like can you build a script that would get users privatekey revealed when he is interacting with a dapp(malicious)