Let's just be clear
The scripts WERE NOT hosted on an external resource, they were served from inside BAs infrastructure. The path they came from was:
However, they WERE third party scripts in that they were not written specifically for the BA site, but were local copies of script libraries freely available to web developers from various vendors.
In this case, they were modified versions of the freely available scripts, with malicious extra code added to siphon off users details to an external domain.