Small sample showing how to use the postMessage method to inject Javascript (XSS) in the receiver page.
The simplest way to test it is using http.server in python. Run "python -m http.server 80" on the folder containing both files and you are ready to go!
More about postMessage: (https://developer.mozilla.org/pt-PT/docs/Web/API/Window/postMessage)
(https://medium.com/javascript-in-plain-english/javascript-and-window-postmessage-a60c8f6adea9)