It's pretty simple to exfiltrate data from the JavaScript sandbox once it has been compromised via XSS. The simplest way is probably appending an img tag to the page's DOM, with a src pointing to a server you control and send the user's password as the image name.
I believe the only portions of the development kits which used Linux was the communication processor, an isolated computing platform bolted on to the hardware to facilitate certain debugging functions.
It no longer exists, but they likely still retain IP in this realm.