Clarify practices regarding browser polyfills and third party CDNs

[josebolos]

• Adds link explaining what a browser polyfill is.
• Adds the data protection risk to the "use of third party CDN" risks.
• Makes it clearer that using third party CDNs is not an acceptable practice, ever, both in the "static resources" page and in the "polyfill" section of the javascript house style page.
• Also minor whitespace adjustments and updating TOCs for consistency.

[benjclark]

I wonder if we should suggest that any NPM dependency used to load polyfills should be locked down to an exact version in a package.json / package-lock.json, and that version range syntax should not be used. To mitigate risk of an NPM dependency getting compromised and publishing code that we import and load in production. But I guess that applies to any NPM dependency used in production code.

[josebolos]

@benjclark Yeah, good point. Interestingly, we also suggest using SRI which, if my understanding is correct, could also help with these issues. I don't think we use it extensively, though.