No, but it's not easy (in fact it's quite hard to do well) because of how insecure the browser is.
You can take advantage of the fact that you can store private information in closures. To prevent malicious code from overwriting a native function to which you pass sensitive information (like the CSRF token in this case) you need to Object.freeze the prototype of things like XMLHttpRequest or take your own references of the native functions.
Naturally all of this assumes the user doesn't do something like set a breakpoint and then inject a script with access to scope variables. But if social engineering gets you that far, you could probably just have the user run any arbitrary code on their machine.
You can take advantage of the fact that you can store private information in closures. To prevent malicious code from overwriting a native function to which you pass sensitive information (like the CSRF token in this case) you need to Object.freeze the prototype of things like XMLHttpRequest or take your own references of the native functions.
Naturally all of this assumes the user doesn't do something like set a breakpoint and then inject a script with access to scope variables. But if social engineering gets you that far, you could probably just have the user run any arbitrary code on their machine.