Is sending "Access-Control-Allow-Origin: http://localhost:8888" dangerous?
For an attacker to make use of this CORS header, he must run Javascript on localhost:8888. Inspired by your question, I looked for a service that runs on localhost:8888 and allows an attacker to run Javascript. I found one:
MAMP is a webstack that runs on port 8888 by default, and comes with the vulnerable SQLiteManager. SQLiteManager has several vulnerabilities, one of which is XSS using CSRF, so an attacker could trigger Javascript remotely to run in the context of localhost:8888. It would then be able to read data from your high value target.
This attack is not really probable, since it would only work for users that are both visitors of your site and users of MAMP. Furthermore, MAMP also has a remote code execution vulnerability, so the attacker does not need the CORS header to read HTTP responses.