The CDN isn't the library, polyfill is the sketchy code library. The CDNs are merely hosting it. The usage of library here is entirely consistent with software development terminology.
The issue isn't CDNs. The issue is code that pulls the latest version of a library, opening it up to supply chain attacks like this. The solution would be to specify exact versions of a library to use.