In this case the script wasn't bundled at all - it was hotlinked from a third party CDN. Adding malicious code instantly affects all the sites that load it.
The output differs depending on browser (it only loads the polyfills your browser needs) so it's incompatible with subresource integrity.