In light of the recent supply chain attack on the polyfill.io CDN, a GitHub account and domain were taken over by a malicious actor, who began injecting harmful JavaScript into thousands of websites. If websites load JavaScript, this script can operate in the first-party context and may perform a range of actions, including logging form data, capturing cookies, and modifying the website as desired. This poses an extreme risk if you do not trust the source completely.
One way to mitigate this risk is by using Subresource Integrity (SRI), which allows you to pin a remote JavaScript file to a specific hashed fingerprint of its content. This makes loading remote resources significantly safer by blocking the loading if the content of the remote JavaScript content changed.