It is possible for an attacker to control src attribute of a script tag and load scripts from external resources.

With a properly defined CSP policy, the browser would not load and execute the external script.

Content Security Policy: script-src