If refresh token is stolen then the malicious user can access the real user's session (untill it is expired) and may generate a new token. Hackers may use techniques like session hijacking, XSS, or CSRF(cross-site request forgery) to get the token.
http-only cookies allow us to store sensitive data such as refresh tokens, in a way that cannot be accessed by JavaScript. This means that even if there are vulnerabilities in your code or third-party libraries, a hacker won't be able to retrieve the refresh token.