If they choose to import some code from elsewhere sure. They could run their own advert by hosting "advert.jpg" on their server and wrapping it in an anchor tag.
BA however are a company selling their own product, no need for them to have adverts. If they want to dilute their product with adverts then they take the risk of fines (as well as losing custom)
Why does an airline even need to show advertising on their page in the first place. You'd think they would be most concerned about selling their own product.
Fair enough, but if you're advertising online with any of the major companies today, there's no way to do so effectively without instrumenting at least your landing pages and conversion pages with advertising tagging.
Actually it's worse than that. Even without 3rd party JS, most major websites these days run on large piles of open source libraries that have never been security reviewed (e.g. code from npm, rubygems, PyPi, NuGet) and attackers are increasingly targeting those underlying libraries for compromise...
Basically, yeah. You can specify a hash for third party JS and audit it at that version and you can sandbox JS in iframes, but most people do not do that.
This applies to everyone who has advertising or third party anything on their page, no?