Yes, that is correct that Angular is used in Admin only. Moreover, our implementation of Angular is not using the vulnerable part. But still, in hotfix 185 we updated that library, because not only your tool but pretty much all others were reporting this false positive vulnerability. What the tool does is just checking Kentico version and if it is older than 13.0.185, it will flag ths issue.