The xss is stored via csrf. So an exploitation scenario would be that you visit a malicious page and then click in the search box on a new tab.