If you include third-party javascript code, you always risk XSS. Say you are testing a code with an ad provider:
<script src="http://some3rdPartySite.com/script.js"></script>
- Script can be modified to display and to get different results in the target domain and on all other pages. That is, you can see how he wants to show you, but you cannot be sure that it will be the same in some of your games.
- An ad provider can change the script on this server at any time, possibly after your tests.
If you do not trust your ad sellers, I suggest that they choose an image + URL or iframe URL + sizes. You can do "bad things" with an iframe (for example, dragging frames by redirecting from your client page), but you should still be subject to cross-domain policies. This is not the case if you allow javascript code to be executed.
You can also provide your own analytics for ad sellers to meet their needs.
In any case, to test javascript results, you can use Selenium drivers with any browser: http://seleniumhq.org/ . This allows you to load any page, execute javascript code and get results. This way you can load your javascript code, find the DOM for the nodes and check their sizes, etc.
Alternatively, you can look at sahi: http://sahi.co.in/w/