Direct linking via a specific CDN was the problem. This is solved by bundlers, not caused by it.
The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain. ... However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via any site that embeds cdn.polyfill.io.
Just went ahead and Googled it and I can find no credible source that he actually said these words at any time. So, if you'd like to bandy out that source, I think we'd all appreciate it.