The theory
99.9% of all JavaScript that is served on the web is static, e.g. the same no matter what values any cookies has or anything else. It's just a file that is served as-is from the server, just like say an ordinary JPG image.
For a few cases, though, the JavaScript might be generated dynamically (using a language like PHP), and a request could yield different results if it is made with or without cookies. In these rare cases there might be an XSSI vulnerability.
Generating dynamic JavaScript is a horrible design practise and not something you would expect well trained developers to do. So don't expect to find vulnerabilities like this easily. But sure, they are out there, somewhere... But if I knew where to find them, I would not be telling you - I would be disclosing the vulnerabilities responsibly to the owners of the sites.
An example
Let's say I am writing a webpage where users can pass secret messages to each other, hosted at secretmessage.com. The webpage checks for new messages by loading new_messages.js from the server. The content of that file is generated with PHP like this (note that the result will look different depending on the cookies in the request):
<?
session_start();
$user_id = $_SESSION["user_id"];
?>
var latestMessage = "<?= $database->getLatestMessage($user_id); ?>";
Running that script will put the latest message for the user making the request into a JS variable, that I then can convinently output somewhere. Great, isn't it? Well, no...
Now imagine the evil attacker creates a page (http://evil.com) that includes http://secretmessages.com/new_messages.js in a script tag. The browser will dutifully request the new_messages.js from secretmessages.com with cookies and all, including the session cookie. The content of latestMessage will then be readable from the code on evil.com. So all the attacker has to do to read peoples secret messages is to trick them into visiting evil.com.
