Session data is exposed when making cross-domain requests with GET requests. This is not the case with POST requests.
Configure your Org to use POST requests when making cross-domain calls as described in this Salesforce documentation page.
Time to fix
This rule is linked to Common Weakness Enumeration CWE-1021 Improper Restriction of Rendered UI Layers or Frames.