alt Hacker NewsA third party script that's embedded into the task management website? Otherwise I don't see how it's going to get to the cookie. And if it is embedded into the website, it can force a fresh login and steal the cookie that way.
And you can set HttpOnly to stop javascript from being able to access the cookie... but that still won't stop the attack of making them log in again.
The threat model I imagined here was:
1. Initial access to physical machine, most likely via phishing malware, reckless employees downloading untrusted content, or bad luck.
2. Malware looks for browser cookies, hoping to steal temporary credentials but instead gains persistent creds, which grant Jira access. People re-use passwords; malware tries this password against AdUser and any other systems or other corp user accounts it can find
3. Direct Jira access used to pivot, that custom Jira app is probed for app vulns (likely given design).