Cookies can be scoped by domain or path, but this vulnerability check only looks at domain scope. The domain scope applied to a cookie determines which domains can access it. For instance, cookies can be strictly scoped to a subdomain like www.example.com or loosely scoped to a parent domain like example.com. This means any subdomain of example.com can access the cookie. Loosely scoped cookies are commonly used in large applications.
Scope all cookies to a Fully Qualified Domain Name (FQDN) and ensure they cannot be accessed by unauthorized domains.