VULNERABILITY DETAILS
ServiceWorkers and new feature Foreign Fetch can be abused to get persistent JS code execution
1. visit https://jsfiddle.net/Lsd6vgkb/3/
2. close the tab 
3. few mins later open Devtools on any other page and see under Application/ServiceWorkers/Show All a truefactor.io service worker in Running state forever


VERSION
Chrome Version: 54+ 
Operating System: all

REPRODUCTION CASE
see truefactor.io/catworker for a demonstration. You can infect yourself and then broadcast a JS command that can be executed hours after you visited the page with injected image

This is probably a Low severity bug, but I wanted to escalate it a bit. First thing to do is to stop giving out Origin Trial tokens for Foreign Fetch. Then reconsider its security model to stop recursive call execution. 

By design it allows one service worker to "foreignfetch" the other, so two domains can keep ping each other forever (delaying termination of script, which happens after 60 seconds of no events). This is something to be fixed in architecture of Foreignfetch.