sauce

The code that the site uses is:

let jeff = (new URL(location).searchParams.get('jeff') || "JEFFF")
eval(`ma = "Ma name ${jeff}"`)

Note that searchParams gives you a URLSearchParams object, and its .get method gives you a string corresponding to the parameter. So, the objective is to come up with some characters that, when inserted into

ma = "Ma name <CHARACTERS>"

and run, results in arbitrary code execution.
First step is to surround the characters in “s, so as to end the string literal after the name and resume a string literal after the CHARACTERS:

ma = "Ma name " <SOMETHING ELSE> ""

So now you need to figure out what sort of characters can go into which will result in valid Javascript code. If you just put in alert(), that won't be valid:

ma = "Ma name " alert() ""

That’s a syntax error. You need something to indicate what the alert has to do with the string literal token that comes just before it. A - can do the trick, but so could any other operator, like +, %, and so on. You also need to connect the end of the alert with the resumed string literal, thus the need for another operator at the end:

ma = "Ma name "-alert('foo')-""

So, the characters that need to be inserted are:

"-alert('foo')-"

Note that because the string is delivered inside of a search parameter, a + won’t be interpreted as the literal character + - rather, it’ll be interpreted as a space. So jeff=”+alert(1337)+” won’t work, but jeff=”%2balert(1337)%2b” will.
Semicolons work as well, because they result in:

ma = "Ma name " <SOMETHING ELSE> ""
ma = "Ma name "; alert()        ;""

which is valid syntax.