The "message" event handler on the page is vulnerable because it doesn't verify the message origin. The recipient validation can be circumvented by setting window name to the same value as the message recipient, and by choosing a value here that passes the validity check. ASCII strings cannot pass the validity check but Unicode strings like "\x70\x61\u6161\0\0\0\0\u7373" or "\x70\x10\x10\x10\x10\u6161\u6100\u7373" will.
Once the message is accepted by the page, it can be used to generate a custom event. Using "ajaxSuccess" as event name will trigger ajaxSuccess handler. Passing HTML code as "selector" will make jQuery constructor create new elements from that HTML code rather than select existing elements, this allows triggering XSS payload.
