It could be injected at the server level (worth noting that I didn't see any requests for it when I loaded the page). In terms of XF, the best you can really do is ensure there aren't any unexpected files (which won't be checked by the file health check, though they won't be loaded automatically) and rebuild the master data via /install/. Ideally, you'd want to restore a backup (files and database) from prior to the issue occurring to ensure nothing is untoward.