Somebody from Google already commented about this:
The security of our users is a top priority, and this feature was designed with security and privacy in mind. We’ve re-investigated and this is not eligible for a reward, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C specification, and we continue to work on improvements.
http://gizmodo.com/google-chrome-has-a-bug-that-could-let-anyone-eavesdrop-1506483705
They don’t see it as a bug, and me neither. You gave permission to a domain to use your mic, be it in windows you forgot to close or not, it’s working as intended.