This is a great example of why a Content-Security-Policy (CSP Header) should be considered mandatory for high risk sites. With it you can effectively tell the browser what JS is allowed to run, meaning that any JS injected via XSS won't work.

I suspect Coinbase and others already use CSP.

https://en.wikipedia.org/wiki/Content_Security_Policy