A third party script that's embedded into the task management website? Otherwise I don't see how it's going to get to the cookie. And if it is embedded into the website, it can force a fresh login and steal the cookie that way.

And you can set HttpOnly to stop javascript from being able to access the cookie... but that still won't stop the attack of making them log in again.