DOM access between same-origin tabs


Consider the following website. Page A (https://example.com/login) contains a login form and its password field has the attributes name and id set to "password". Page B (https://example.com/vuln) has a XSS vulnerability that allows an attacker to inject JavaScript code. One opens page A in a browser tab and enters a password, but does not submit it. Then, one opens another tab and visits page B there.

Since the pages have the same web origin, the Same-Origin Policy does not restrict access between them and, from the browser’s view, the attacker’s code is loaded from the origin https://example.com. But the pages’ DOMs are not connected by any path that allows to access each other.

Can the attacker’s injected JavaScript code access the password field and the password entered into it? If so, could someone provide a small example?