This brings back memories. A few years ago there was a CTF challenge at Google CTF for a XSS using Closure. There was an unintemeed solution by exploiting a reflective XSS in the documentation that is served with the closure library on installation. The docs page with reflective XSS could be included in an iFrame to get arbitrary JS with access to the root document (since they ran on the sam origin). No idea if this vuln is still around.