They however still have access to the JS context and thus the authenticated session when you are on the website. They can most likely exfiltrate all the data visible on the page and maybe even the auth token for further server-side misuse after you've closed the page.