Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.
Weakness
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Potential Mitigations
References