VULNERABILITY DETAILS
I can't imagine this leading to an actual problem, but the behavior was surprising to me so here goes:

Service workers obey the policy sent in the HTTP response which returns the service worker. For example, if the SW has a CSP and tries to call importScripts('foo.js') this will fail unless the CSP contains script-src 'self'.

However, restrictions on eval() (e.g. script-src 'none', *without* 'unsafe-eval') have no effect on SWs. Serving a worker with such a policy still allows it to call eval() and does not cause a CSP violation; I believe it should do so.

VERSION
Chrome Version: Tested on M57, M59 (59.0.3053.3)
Operating System: Linux (Ubuntu)

REPRODUCTION CASE

HTML:
<head>
  <meta http-equiv="content-security-policy" 
        content="script-src 'nonce-foo' 'self'; worker-src *">
</head>

<script nonce=foo>
  navigator.serviceWorker.register('/cgi-bin/service-worker-with-csp.py', 
      {scope: '/cgi-bin/'}).then(function(registration) {
    console.log('SW registered');
    }).catch(function(error) {
    console.log('SW error');
  });
</script>

JS:
#!/usr/bin/python
import cgi
import cgitb
cgitb.enable()

print """\
Content-Type: text/javascript; charset=utf-8
Content-Security-Policy: script-src 'self';

console.log(eval(1));
self.importScripts('service-worker-foo.py');
"""

Output:
> 1
> SW registered