jquery is never served alone. If you already trust the site to deliver # then it doesn't matter if the jquery is delivered directly from the same site or from the jquery CDN. Any malicious code can be delivered in the site's Javascript. For there to be any extra security the jquery delivered from the CDN would have to be signed with a (trusted) jquery key, but I don't know any browser that checks signatures, or any third-party code provider that signs their browser code.