See: https://webhint.io/scanner/a4526d89-6696-4217-a446-5cd6df5f842b
This code is not given as retirable:

-www.cardinalsurveying.com/wp-includes/js/wp-emoji-release.min.js?ver=4.9.8 benign
[nothing detected] -www.cardinalsurveying.com/wp-includes/js/wp-emoji-release.min.js?ver=4.9.8
status: (referer=http:/XXX/web?q=puppies)saved 12026 bytes d25b738415c1594c4f840904bb876055d96cf256
info: [img] -www.cardinalsurveying.com/wp-includes/js/
info: [decodingLevel=0] found JavaScript
file: d25b738415c1594c4f840904bb876055d96cf256: 12026 bytes

But to what extent it is vulnerable in this respect, read: https://www.reverse.it/sample/f102c18999685fd77dfba87fc5b4c5d82d8cacd38d98320a92647c2c2b0afb1a?environmentId=100

Then here we meet code that is classified as retirable jQuery library code, but not malicious per se:
https://www.virustotal.com/#/url/a5d5d800552b8326da6c5ebd49216cfd9662e7b9633bd46445b4c17f0e81d8e9/detection
Also consider detected: https://retire.insecurity.today/#!/scan/94cf2cbf966708b3bba8486b89d82d8fec17bd5290354215e48705fdf1925d1d

info: [decodingLevel=0] found JavaScript error: undefined function b.attachEvent error: undefined variable b suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes info: Decoding option browser=Firefox, 0 bytes info: Decoding option navigator.systemLanguage=en and navigator.systemLanguage=zh-cn and browser=IE7/XP and browser=IE8/Vista and browser=Opera, 204 bytes info: [element] URL=-www.cardinalsurveying.com/undefined info: [var url] URL=-www.cardinalsurveying.com info: [var newurl] URL=www.cardinalsurveying.com file: c4c5c21521de8b879bd77eff350d4c20c290e25b: 32587 bytes file: 4511baca66d00934eacf20210a486674784db9e4: 183850 bytes file: 1602a10b8eec78a02da27d3ce84533379d7956f8: 183943 bytes file: 5af0e724e6c5a684661f8f2d3588a8596bc34c46: 204 bytes

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)