100% no solution, of course you can strongly complicate the hijackers life.
For example, suppose the script periodically makes an ajax call (the domain needs to be clearly spelled out), let the server checks the referrer and if it is not equal to his domain returns a response that is received the script locit useful functionality. A string with the hostname is not stored in an explicit form, and encrypted. And of course the whole thing through an obfuscator to get rid of, for example, through https://github.com/TShadwell/Horrible.js
Nothing more serious can not come up.