I'd say it's gotten a bit metaphysical at this point. The browser is is running the Javascript inside of a sandbox. This particular javascript file is a cross-compiled version of Dosbox, plus some API wrappers to make Dosbox think that it's running in Linux with SDL2. Dosbox in turn is emulating the CPU and hardware of a typical 386, as well as providing implementations of various DOS facilities.
Browser exploits exist (or at any rate have existed in the past, and may exist in the future; a 0-day may or may not exist at any given time), and most of them use Javascript in some way; this much is true. However, why write a DOS program that tricks Dosbox into tricking Emscripten into running that exploit when you could just run the exploit directly? This might be a great way to show off, but wouldn't be very practical.