Add subsource integrety for external JS

From Security Metrics on a recent scan:

What is the issue?
The application includes 3rd party JavaScript libraries and does not perform a Subresource Integrity check.
What is the impact of this issue?
The single greatest risk is a compromise of the third party JavaScript server and the injection of malicious JavaScript into the host. This has happened as recently as June 2019.

The invocation of 3rd party JavaScript code in a web application requires consideration for three risks in particular:

• The loss of control over changes to the client application
• The execution of arbitrary code on client systems
• The disclosure or leakage of sensitive information to 3rd parties

How can this issue be fixed? Review 3rd party scripts.

• Verify the integrity of the script with a Subresource Integrity check.
• If the 3rd party system does not support CORS, host the file locally.

References

• https://www.owasp.org/index.php/3rd_Party_Javascript_Management_Cheat_Sheet
• https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-...
cloudfront-cdn/
• https://hacks.mozilla.org/2015/09/subresource-integrity-in-firefox-43/
• https://www.zdnet.com/article/inbenta-blamed-for-ticketmaster-breach-say...
• https://www.srihash.org/