> Though I think the same trick could be done with, say, <img> or <style>, and those wouldn't allow XSS
You can XSS with SVG "images" [1]. Though up-to-date browsers should be patched against this.
The other option is having an image which said the same as the alert() message. Again, using SVG, this needn't be much bigger file size than the JS response [2]
Sadly you can't guarantee that. If it was an advert, then yes, most likely it would be visible (baring ad blockers, but then they should hopefully block the attack anyway so that's a non-issue). But if it was a tracking image, then the dimensions would likely only be 1px^2.
I use those two specific examples (ad and tracking) because that seems to be the two instances in which this JS was MITM'ed.
You can XSS with SVG "images" [1]. Though up-to-date browsers should be patched against this.
The other option is having an image which said the same as the alert() message. Again, using SVG, this needn't be much bigger file size than the JS response [2]
[1] https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Swed...
[2] http://www.w3schools.com/svg/svg_text.asp