Something like that could in theory be abused if you use eval to decode JSON.
Popular JS libraries which provide JSON decoding functionality will default to JSON.parse when the browser has builtin JSON support, thus any recent browser shouldn't be vulnerable unless your code is incorrectly written.
