document.domain returns the current domain used in the document because no redirect occurred. Similar to if you typed it in your address bar right now, it should show you the HN domain.

It's commonly used as a placeholder in an alert-box XSS PoC. Weaponising this into an actual exploit could have been a fetch(), css inclusion, or enumerating localstorage.