It is possible for an attacker to control href attribute of a link tag and load stylesheets from external resources. Crafted CSS stylesheets can execute unsanitized javascript in the global scope on some browsers.

With a properly defined CSP policy, the browser would not load external stylesheets.

Content Security Policy: style-src