In a Cross-Site Scripting attack, a server sends the html fil to the client. As a part of that process, the html requests other files (JS and CSS). Many times these come from a third party server, such as JavaScript libraries. The issue with this is when one of the third party servers gets compromised and the script is tainted. In JavaScript, we cannot address this, but we can do some things on the server-side.
We can use Content Security Policy (CSP). This uses an http header to ensure we are getting the content from the proper location.
We can use Cross Origin Resource Sharing (CORS). This uses an http header to allow access to certain domains while restricting possible malicious ones.
Again, these are not really JavaScript solutions, but you need to be made aware of them.