Stored XSS with HTTP only Session Cookies

I got into a bug bounty program where you develop a store front to shill garbage to the masses. After some rooting around I found an XSS location buried in a JSON object inside some script tags. The only possible context breakout was with a </script> tag. You can read more about XSS context here: