Sorry I should have been clearer here. RiskIQ doesn't distinguish between the CDN and origin in their write up. That's an assumption on my part, I believe it be the case that the CMS that serves the JS file is different from the origin server that would be serving the checkout pages and other parts of the BA website. From a quick Google it looks like the CMS path on BA is just a file storage server of some kind.
Most likely the origin server had a hardcoded reference to the CMS path(https://www.britishairways.com/cms/global/scripts/lib/modern...) and if that had been done as
I speculate the attack would not have been successful. For an extremely static resource like this it wouldn't have been complex to adopt SRI.