JS: truly secret vars (for securely submitting a score)

JS: truly secret vars (for securely submitting a score)

Is it possible to find a randomly generated value declared within an
anonymous function, and if so how?
(function () {
var salt = Math.random()*10000|0;
// assuming an event manager
Events.on('custom event', function () {
// do something amazing with salt here
});
})()
Long story short, I am putting together a scoring system for a game.
The basic process is:
the server provides a nonce on page load (a randomly generated string)
the client then generates a random salt (a number between 0 & {x})
the client makes a call to the server with an MD5 hash of the nonce + salt
the server iterates over the original nonce {x} times until it finds a
match (and the salt)
all further communication is tested against this salt, if a mismatch is
found the client and server application instances are destroyed
all client-side script is called from within an anonymous function, with
no reference to the global (it relies on event listeners to fire
functions)
Everything works fine, and once the system has initialised it is fairly
difficult to crack the salt. You basically have a 1 in 10,000 chance of
getting it right, after which the system resets.
The major weakness lies in the accessibility of the salt. I've found that
if any expression within the anonymous function is directly exposed to the
global object, you can easily find the value by watching the expression in
the source inspector. However it seems to become a lot less obvious if the
function is invoked by an event listener with an external scope.
Short question long, am I missing something? Is this information still
very much accessible within the inspector (or anywhere), and if so, how?
a footnote: i realise there are probably a few major holes in this logic,
if you'd like to constructively point them out please do as a comment, not
an answer. Cheers!