avoid innerHTML in order to pass strict CSP-Header

[makrohard]

With a strict Content-Security-Policy Header: require-trusted-types-for 'script', the browser will not run scrollnav without a valid policy, because of the use of innerHTML. This can easily be replaced by appendChild.

[jimmynotjim]

Hey @makrohard really sorry about missing this, I don't get to work on this plugin much any more. I'm open to a PR if you have the time. Otherwise I'll try to get to it but no promises, my work and family life have unfortunately made it difficult to work on open source these days.

[makrohard]

see #108